Enforcer Implementation Guide SNAC11.0.5

Enforcer ImplementationGuide for Symantec™Network Access Control

Symantec Network Access Control EnforcerImplementation Guide

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Documentation version 11.00.05.00.00

Legal NoticeCopyright © 2009 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, Bloodhound, Confidence Online, Digital Immune System,LiveUpdate, Norton, Sygate, and TruScan are trademarks or registered trademarks ofSymantec Corporation or its affiliates in the U.S. and other countries. Other names may betrademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see the Third Party Legal Notice Appendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. The Technical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, the Technical Support group works with Product Engineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week

■ Advanced features, including Account Management Services

For information about Symantec’s Maintenance Programs, you can visit our Website at the following URL:

www.symantec.com/techsupp/

Contacting Technical SupportCustomers with a current maintenance agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system



■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and maintenance contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals



Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement,please contact the maintenance agreement administration team for your regionas follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Additional enterprise servicesSymantec offers a comprehensive set of services that allow you to maximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threatanalysis, and countermeasures to prevent attacks before they occur.

Symantec Early Warning Solutions

These services remove the burden of managing and monitoring security devicesand events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise fromSymantec and its trusted partners. Symantec Consulting Services offer a varietyof prepackaged and customizable options that include assessment, design,implementation, monitoring, and management capabilities. Each is focused onestablishing and maintaining the integrity and availability of your IT resources.

Consulting Services

Educational Services provide a full array of technical training, securityeducation, security certification, and awareness communication programs.

Educational Services

To access more information about Enterprise services, please visit our Web siteat the following URL:

www.symantec.com

Select your country or language from the site index.

mailto:[email protected]



www.symantec.com

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Section 1 Installing and configuring the SymantecNetwork Access Control Enforcerappliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 1 Introducing the Enforcer appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

About the Symantec Enforcer appliances ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Types of enforcement ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26What you can do with Symantec Network Access Control Enforcer

appliances ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28About Host Integrity policies and the Enforcer appliance .... . . . . . . . . . . . . . . . . 30

Communication between an Enforcer appliance and a SymantecEndpoint Protection Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Communication between the Enforcer appliance andclients ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

How the Gateway Enforcer appliance works .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32How the DHCP Enforcer appliance works .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33How the LAN Enforcer appliance works .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

How LAN Enforcer basic configuration works .... . . . . . . . . . . . . . . . . . . . . . . . . . . 36How LAN Enforcer transparent mode works .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36About 802.1x authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Support for third-party enforcement solutions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Where to find more information about the Symantec Enforcer

appliances ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 2 Planning for the Enforcer applianceinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Installation planning for Enforcer appliances ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Installation planning for a Gateway Enforcer appliance .... . . . . . . . . . . . . . . . . . . 42

Where to place a Gateway Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . 42Guidelines for IP addresses on a Gateway Enforcer

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Contents

About two Gateway Enforcer appliances in a series ... . . . . . . . . . . . . . . . . . . . 45Protection of VPN access through a Gateway Enforcer

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Protection of wireless access points through a Gateway Enforcer

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Protection of servers through a Gateway Enforcer

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Protection of non-Windows servers and clients through a

Gateway Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Requirements for allowing non-Windows clients without

authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Failover planning for Gateway Enforcer appliances ... . . . . . . . . . . . . . . . . . . . . . . . . . 49

How failover works with Gateway Enforcer appliances in thenetwork .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Where to place Gateway Enforcer appliances for failover in anetwork with one or more VLANs .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Setting up Gateway Enforcer appliances for failover ... . . . . . . . . . . . . . . . . . . 52Installation planning for a DHCP Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . 52

Where to place DHCP Enforcer appliances in a network .... . . . . . . . . . . . . 52DHCP Enforcer appliance IP addresses ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Protection of non-Windows clients with DHCP

enforcement ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55About the DHCP server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Failover planning for DHCP Enforcer appliances ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57How failover works with DHCP Enforcer appliances in the

network .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Where to place DHCP Enforcer appliances for failover in a

network with only one or multiple VLANs .... . . . . . . . . . . . . . . . . . . . . . . . . . 58Setting up DHCP Enforcer appliances for failover ... . . . . . . . . . . . . . . . . . . . . . 59

Installation planning for a LAN Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . 61Where to place LAN Enforcer appliances ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Failover planning for LAN Enforcer appliances ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Where to place LAN Enforcer appliances for failover in a network

.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Chapter 3 Upgrading and migrating Enforcer applianceimages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

About upgrading and migrating Enforcer appliance images to version11.0.3000 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Determining the current version of an Enforcer applianceimage .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Contents8

Upgrading the Enforcer appliance image from 11.0 or 11.0.2000 to11.0.3000 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Migrating the Enforcer appliance image from 5.1.x to 11.0.3000 .... . . . . . . . 69Reimaging an Enforcer appliance image .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Chapter 4 Installing the Enforcer appliance for the firsttime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Before you install the Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71About the Gateway Enforcer appliance installation .... . . . . . . . . . . . . . . . . . . 71About the DHCP Enforcer appliance installation .... . . . . . . . . . . . . . . . . . . . . . . 72About the LAN Enforcer appliance installation .... . . . . . . . . . . . . . . . . . . . . . . . . 73About the Enforcer appliance indicators and controls ... . . . . . . . . . . . . . . . . 73Gateway Enforcer appliance or DHCP Enforcer appliance NIC

settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Installing an Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

About the Enforcer appliance lock .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Chapter 5 Performing basic tasks on the console of anEnforcer appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

About performing basic tasks on the console of an Enforcerappliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Logging on to an Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Configuring a connection between an Enforcer appliance and a

Symantec Endpoint Protection Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Checking the communication status of an Enforcer appliance on the

Enforcer console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Remote access to an Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Enforcer reports and debug logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Chapter 6 Configuring the Symantec Gateway Enforcerappliance on the Symantec Endpoint ProtectionManager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

About configuring the Symantec Gateway Enforcer appliance on theSymantec Endpoint Protection Manager Console ... . . . . . . . . . . . . . . . . . . . . . . 88

Changing Gateway Enforcer appliance configuration settings on amanagement server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Using general settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Adding or editing the description of a Gateway Enforcer appliance

group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Adding or editing the description of a Gateway Enforcer

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

9Contents

Adding or editing the IP address or host name of a GatewayEnforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Establishing communication between a Gateway Enforcerappliance and a Symantec Endpoint Protection Managerthrough a management server list ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Using authentication settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94About using authentication settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94About authentication sessions on a Gateway Enforcer

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97About client authentication on a Gateway Enforcer

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Specifying the maximum number of challenge packets during

an authentication session .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Specifying the frequency of challenge packets to be sent to

clients ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Specifying the time period for which a client is blocked after it

fails authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Specifying the time period for which a client is allowed to retain

its network connection without reauthentication .... . . . . . . . . . . . . . 101Allowing all clients with continued logging of non-authenticated

clients ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Allowing non-Windows clients to connect to a network without

authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Having the Gateway Enforcer appliance check the policy serial

number on a client ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Sending a message from a Gateway Enforcer appliance to a client

about non-compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Redirecting HTTP requests to a Web page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Authentication range settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Client IP ranges compared to trusted external IP addresses ... . . . . . . . 108When to use client IP ranges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108About trusted IP addresses ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Adding client IP address ranges to the list of addresses that

require authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Editing client IP address ranges on the list of addresses that

require authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Removing client IP address ranges from the list of addresses that

require authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Adding a trusted internal IP address for clients on a management

server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Specifying trusted external IP addresses ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Editing trusted internal or external IP address ... . . . . . . . . . . . . . . . . . . . . . . . . 115Removing a trusted internal or trusted external IP address ... . . . . . . . 115

Contents10

IP range checking order ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Using advanced Gateway Enforcer appliance settings ... . . . . . . . . . . . . . . . . . . . . 116

Specifying packet types and protocols ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Allowing a legacy client to connect to the network with a Gateway

Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Enabling local authentication on a Gateway Enforcer

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Chapter 7 Configuring the Symantec DHCP Enforcer applianceon the Symantec Endpoint Protection ManagerConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

About configuring the Symantec DHCP Enforcer appliance on theSymantec Endpoint Protection Manager Console ... . . . . . . . . . . . . . . . . . . . . . 122

Changing DHCP Enforcer appliance configuration settings on amanagement server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Using general settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Adding or editing the name of an Enforcer group with a DHCP

Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Adding or editing the description of an Enforcer group with a

DHCP Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Adding or editing the IP address or host name of a DHCP

Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Adding or editing the description of a DHCP Enforcer ... . . . . . . . . . . . . . . 125Connecting the DHCP Enforcer to a Symantec Endpoint

Protection Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Using authentication settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

About using authentication settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127About Authentication sessions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Specifying the maximum number of challenge packets during

an authentication session .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Specifying the frequency of challenge packets to be sent to

clients ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Allowing all clients with continued logging of non-authenticated


authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Having the DHCP Enforcer check the Policy Serial Number on a

client ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Sending a message from a DHCP Enforcer appliance to a client

about non-compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Using DHCP servers settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

About using DHCP servers settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

11Contents

Combining a normal and a quarantine DHCP server on onecomputer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Enabling separate normal and quarantine DHCP servers ... . . . . . . . . . . 137Adding a normal DHCP server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Adding a quarantine DHCP server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Using advanced DHCP Enforcer appliance settings ... . . . . . . . . . . . . . . . . . . . . . . . . 140Setting up an automatic quarantine for a client that fails

authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Specifying a DHCP Enforcer appliance's wait period before it

grants a client access to the network .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Enabling servers, clients, and devices to connect to the network

as trusted hosts without authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . 142Preventing DNS spoofing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Allowing a legacy client to connect to the network with a DHCP

Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Enabling local authentication on the DHCP Enforcer

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Chapter 8 Configuring the Symantec LAN Enforcer applianceon the Symantec Endpoint Protection ManagerConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

About configuring the Symantec LAN Enforcer on the SymantecEndpoint Protection Manager appliance console ... . . . . . . . . . . . . . . . . . . . . . 148

About configuring RADIUS servers on a LAN Enforcerappliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

About configuring 802.1x wireless access points on a LAN Enforcerappliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Changing LAN Enforcer configuration settings on a SymantecEndpoint Protection Manager Console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Using general settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Adding or editing the name of a LAN Enforcer appliance group

with a LAN Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Specifying a listening port that is used for communication

between a VLAN switch and a LAN Enforcer ... . . . . . . . . . . . . . . . . . . . . . 153Adding or editing the description of an Enforcer group with a

LAN Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Adding or editing the IP address or host name of a LAN

Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Adding or editing the description of a LAN Enforcer ... . . . . . . . . . . . . . . . . 154Connecting the LAN Enforcer to a Symantec Endpoint Protection

Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Using RADIUS server group settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Contents12

Adding a RADIUS server group name and RADIUS server ... . . . . . . . . . 157Editing the name of a RADIUS server group .... . . . . . . . . . . . . . . . . . . . . . . . . . . 158Editing the friendly name of a RADIUS server ... . . . . . . . . . . . . . . . . . . . . . . . . 159Editing the host name or IP address of a RADIUS server ... . . . . . . . . . . . 160Editing the authentication port number of a RADIUS server ... . . . . . . 160Editing the shared secret of a RADIUS server ... . . . . . . . . . . . . . . . . . . . . . . . . . 161Deleting the name of a RADIUS server group .... . . . . . . . . . . . . . . . . . . . . . . . . . 162Deleting a RADIUS server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Using switch settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163About using switch settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163About the support for attributes of switch models ... . . . . . . . . . . . . . . . . . . . 164Adding an 802.1x switch policy for a LAN Enforcer appliance

with a wizard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Editing basic information about the switch policy and

802.1x-aware switch .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Editing information about the 802.1x-aware switch .... . . . . . . . . . . . . . . . . 180Editing VLAN information for the switch policy ... . . . . . . . . . . . . . . . . . . . . . . 182Editing action information for the switch policy ... . . . . . . . . . . . . . . . . . . . . . . 184

Using advanced LAN Enforcer appliance settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . 188Allowing a legacy client to connect to the network with a LAN

Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Enabling local authentication on the LAN Enforcer

appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Using 802.1x authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

About reauthentication on the client computer ... . . . . . . . . . . . . . . . . . . . . . . . 192

Chapter 9 Setting up temporary connections for SymantecNetwork Access Control On-Demand clients . . . . . . . . . 193

About setting up temporary connections for Symantec Network AccessControl On-Demand Clients ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Before you configure Symantec Network Access Control

On-Demand clients on the console of a Gateway or DHCPEnforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Enabling Symantec Network Access Control On-Demand clientsto temporarily connect to a network .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Setting up authentication on the Gateway or DHCP Enforcer consolefor Symantec Network Access Control On-Demand clients ... . . . . . . . . 199Setting up authentication with a local on-board database .... . . . . . . . . . 199Setting up authentication with a Microsoft Windows 2003 Server

Active Directory .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Setting up the On-Demand Client on Windows for authentication

with the dot1x protocol ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

13Contents

Setting up the On-Demand Client on Windows for authenticationwith the peap protocol ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Editing the banner on the Welcome page .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Troubleshooting the connection between the Enforcer and the

On-Demand clients ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Chapter 10 Enforcer appliance command-line interface . . . . . . . . . . . . . . . 207

About the Enforcer appliance CLI command hierarchy .... . . . . . . . . . . . . . . . . . . 207CLI command hierarchy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Moving up and down the command hierarchy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Enforcer appliance CLI keystroke shortcuts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Getting help with CLI commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Chapter 11 Enforcer appliance command-line interfacereference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Command conventions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215Enforcer appliance CLI in alphabetical reference .... . . . . . . . . . . . . . . . . . . . . . . . . . . 216Top-level commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Clear ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Date ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Exit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Help .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Hostname .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Ping .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Reboot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Shutdown .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Show .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Start ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Stop .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Traceroute ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Update ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Capture commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Capture Compress ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Capture Filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Capture Show .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240Capture Start ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Capture Upload .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Capture Verbose .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Configure commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Configure advanced commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Configure DNS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Contents14

Configure Interface ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Configure interface-role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Configure NTP .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Configure Redirect ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Configure Route ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Configure Show .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Configure SPM ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Console commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Console Baud-rate ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Console SSH .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Console SSHKEY .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Console Show .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Debug Commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Debug Destination .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256Debug Level ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256Debug Show .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Debug Upload .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

MAB commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258MAB database commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258MAB disable command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260MAB enable command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261MAB LDAP commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261MAB show command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Monitor commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Monitor refresh command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Monitor show command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Monitor show blocked-hosts command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Monitor show connected-guests commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Monitor show connected-users command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

SNMP commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268SNMP disable command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268SNMP enable command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269SNMP heartbeat command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269SNMP receiver command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269SNMP show command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270SNMP trap command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

On-Demand commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271On-Demand authentication commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271On-Demand banner command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277On-Demand client-group command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277On-Demand dot1x commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278On-Demand show command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287On-Demand spm-domain command .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

15Contents

On-Demand mac-compliance commands .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Chapter 12 Troubleshooting an Enforcer appliance . . . . . . . . . . . . . . . . . . . . . . . 293

About troubleshooting an Enforcer appliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293General troubleshooting topics and known issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . 294About debug information transfer over the network .... . . . . . . . . . . . . . . . . . . . . . 294

Chapter 13 Frequently asked questions about the Gateway,DHCP, or LAN Enforcer appliances . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Enforcement questions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297Which antivirus software provides support for host

integrity? ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297Can Host Integrity policies be set at the group level or the global

level? ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299Can you create a custom host integrity message? ... . . . . . . . . . . . . . . . . . . . . 299What happens if Enforcer appliances cannot communicate with

Symantec Endpoint Protection Managers? ... . . . . . . . . . . . . . . . . . . . . . . . 299Is a RADIUS server required when a LAN Enforcer appliance

runs in transparent mode? .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300How does enforcement manage computers without clients? ... . . . . . . 300

Section 2 Installing the Symantec NAC IntegratedEnforcer for Microsoft DHCPServers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Chapter 14 Introducing the Symantec NAC Integrated Enforcerfor Microsoft DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

About the Symantec NAC Integrated Enforcer for Microsoft DHCPServers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

How an Integrated Enforcer for Microsoft DHCP Servers works .... . . . . . . 306How to get started with the installation of an Integrated Enforcer for

Microsoft DHCP Servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Where to find more information about related documentation for an

Integrated Enforcer for Microsoft DHCP Servers ... . . . . . . . . . . . . . . . . . . . . . 308

Contents16

Chapter 15 Planning for the installation of the Symantec NACIntegrated Enforcer for Microsoft DHCPServers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

About planning for the installation of an Integrated Enforcer forMicrosoft DHCP Servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Required components for an Integrated Enforcer for Microsoft DHCPServers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Hardware requirements for an Integrated Enforcer for MicrosoftDHCP Servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Operating system requirements for an Integrated Enforcer forMicrosoft DHCP Servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Planning for the placement of an Integrated Enforcer for MicrosoftDHCP Servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Chapter 16 Installing the Symantec NAC Integrated Enforcerfor Microsoft DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Before you install the Integrated Enforcer for Microsoft DHCPServers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Installing an Integrated Enforcer for Microsoft DHCP Servers ... . . . . . . . . . 316Upgrading the integrated Enforcer for Microsoft DHCP Servers ... . . . . . . . 319

Section 3 Installing the Symantec NAC IntegratedEnforcer for Alcatel-Lucent VitalQIPDHCP Servers (Integrated LucentEnforcer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Chapter 17 Introducing the Symantec NAC Integrated LucentEnforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

About the Integrated Enforcer for Alcatel-Lucent VitalQIP DHCPServers (Integrated Lucent Enforcer) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

What you can do with the Integrated Lucent Enforcer ... . . . . . . . . . . . . . . . . . . . . 324How the Integrated Lucent Enforcer works .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Where to find more information about related documentation for an

Integrated Lucent Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

17Contents

Chapter 18 Planning for the installation of the Symantec NACIntegrated Lucent Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

About planning for the installation of an Integrated LucentEnforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Required components for an Integrated Lucent Enforcer ... . . . . . . . . . . . . . . . . 330Planning for the placement of an Integrated Lucent Enforcer ... . . . . . . . . . . 331Hardware requirements for an Integrated Lucent Enforcer ... . . . . . . . . . . . . . 333Operating system requirements for an Integrated Lucent

Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Chapter 19 Installing the Symantec NAC Integrated LucentEnforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Before you install the Integrated Lucent Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . 335Installing an Integrated Lucent Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336Uninstalling an Integrated Lucent Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Stopping and starting the Lucent VitalQIP Enterprise DHCP

Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Section 4 Configuring Symantec NAC IntegratedEnforcers on the Enforcer console . . . . . . . . . . . . 341

Chapter 20 Configuring the Symantec NAC Integrated Enforcerson the Enforcer console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

About configuring the Symantec NAC Integrated Enforcer on anEnforcer console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Establishing or changing communication between a Symantec NACIntegrated Enforcer and Symantec Endpoint Protection Managerservers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Configuring automatic quarantine .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347Configuring Symantec NAC Integrated Enforcer basic settings ... . . . . . . . . 349

Adding or editing the name of an Enforcer group for SymantecNAC Integrated Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Adding or editing the description of an Enforcer group with aSymantec NAC Integrated Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Adding or editing the IP address or host name of a SymantecNAC Integrated Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Adding or editing the description of a Symantec NAC IntegratedEnforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Connecting the Symantec NAC Integrated Enforcer to a SymantecEndpoint Protection Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Contents18

Editing a Symantec Endpoint Protection Manager connection .... . . . . . . . . 352Configuring a trusted vendor list ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353Viewing Enforcer logs on an Enforcer console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353Configuring logs for the Symantec NAC Integrated Enforcer ... . . . . . . . . . . . 354Configuring Symantec NAC Integrated Enforcer authentication

settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354About using authentication settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355About authentication sessions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356Specifying the maximum number of challenge packets during

an authentication session .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358Specifying the frequency of challenge packets to be sent to

clients ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358Allowing all clients with continued logging of non-authenticated


authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360Having the Symantec NAC Integrated Enforcer check the Policy

Serial Number on a client ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361Sending a message from a Symantec NAC Integrated Enforcer

to a client about non-compliance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362Establishing communication between a Symantec NAC Integrated

Enforcer and a Network Access Control Scanner on an Enforcerconsole ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Configuring Symantec NAC Integrated Enforcer advancedsettings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363Enabling servers, clients, and devices to connect to the network

as trusted hosts without authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . 364Enabling local authentication on the Integrated Enforcer ... . . . . . . . . . 365

Stopping and starting communication services between an IntegratedEnforcer and a management server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Disconnecting an Integrated Lucent Enforcer from a managementserver on an Enforcer console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Configuring a secure subnet mask .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

19Contents

Section 5 Installing and configuring the SymantecNAC Integrated Enforcer for MicrosoftNetwork Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Chapter 21 Introducing the Symantec NAC Integrated Enforcerfor Microsoft Network Access Protection . . . . . . . . . . . . . . . 371

About the Integrated Enforcer for Microsoft Network AccessProtection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Chapter 22 Planning for the installation of the Symantec NACIntegrated Enforcer for Microsoft NetworkAccess Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

About planning for the installation of the Symantec Integrated NAPEnforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Required components for an Symantec Integrated NAPEnforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Hardware requirements for a Symantec Integrated NAPEnforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Operating system requirements for a Symantec Integrated NAPEnforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Operating system requirements for a Symantec Network AccessControl client ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Chapter 23 Installing the Symantec NAC Integrated Enforcerfor Microsoft Network Access Protection . . . . . . . . . . . . . . . 377

Before you install the Symantec Integrated NAP Enforcer ... . . . . . . . . . . . . . . . 377Installing the Symantec Integrated NAP Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . 378

Chapter 24 Configuring the Symantec NAC Integrated Enforcerfor Microsoft Network Access Protection on anEnforcer console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

About configuring a Symantec Integrated NAP Enforcer on anEnforcer console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Connecting a Symantec Integrated NAP Enforcer to a managementserver on an Enforcer console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Encrypting communication between a Symantec Integrated NAPEnforcer and a management server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Contents20

Setting up an Enforcer group name on the Symantec Integrated NAPEnforcer console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Setting up an HTTP communication protocol on the SymantecIntegrated NAP Enforcer console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Chapter 25 Configuring the Symantec NAC Integrated Enforcerfor Microsoft Network Access Protection on aSymantec Endpoint Protection Managerconsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

About configuring the Symantec Integrated NAP Enforcer on aSymantec Endpoint Protection Manager Console ... . . . . . . . . . . . . . . . . . . . . . 388

Enabling NAP enforcement for clients ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Verifying that the management server manages the client ... . . . . . . . . . . . . . . 388Verifying Security Health Validator policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389Verifying that the clients passes the Host Integrity check .... . . . . . . . . . . . . . . 389Enabling local authentication on the Symantec Integrated NAP

Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390Configuring logs for the Symantec Integrated NAP Enforcer ... . . . . . . . . . . . 391

Section 6 Administering enforcers from theSymantec Endpoint ProtectionManager console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Chapter 26 Managing Enforcers on the Symantec EndpointProtection Manager console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

About managing Enforcers on the management server console ... . . . . . . . . 396About managing Enforcers from the Servers page .... . . . . . . . . . . . . . . . . . . . . . . . . 396About Enforcer groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

How the console determines the Enforcer group name .... . . . . . . . . . . . . 397About failover Enforcer groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397About changing a group name .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397About creating a new Enforcer group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

About the Enforcer information that appears on the Enforcerconsole ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Displaying information about the Enforcer on the managementconsole ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Changing an Enforcer’s name and description .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400Deleting an Enforcer or an Enforcer group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400Exporting and importing Enforcer group settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . 401Pop-up messages for blocked clients ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

21Contents

Messages for the computers that are running the client ... . . . . . . . . . . . . 402Messages for Windows computers that are not running the client

(Gateway or DHCP Enforcer only) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402Setting up the Enforcer messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

About client settings and the Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403Configuring clients to use a password to stop the client service ... . . . . . . . . 403

Section 7 Working with enforcer reports andlogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Chapter 27 Managing Enforcer reports and logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

About Enforcer reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407About Enforcer logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

About the Enforcer Server log .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408About the Enforcer Client log .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409About the Gateway Enforcer Traffic log .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Configuring Enforcer log settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Disabling Enforcer logging on the Symantec Endpoint Protection

Manager Console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Enabling the sending of Enforcer logs from an Enforcer to the

Symantec Endpoint Protection Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . 412Setting up the size and age of Enforcer logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412Filtering the Traffic logs for an Enforcer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Contents22

Installing and configuring theSymantec Network AccessControl Enforcer appliances

■ Chapter 1. Introducing the Enforcer appliance

■ Chapter 2. Planning for the Enforcer appliance installation

■ Chapter 3. Upgrading and migrating Enforcer appliance images

■ Chapter 4. Installing the Enforcer appliance for the first time

■ Chapter 5. Performing basic tasks on the console of an Enforcer appliance

■ Chapter 6. Configuring the Symantec Gateway Enforcer appliance on theSymantec Endpoint Protection Manager Console

■ Chapter 7. Configuring the Symantec DHCP Enforcer appliance on the SymantecEndpoint Protection Manager Console

■ Chapter 8. Configuring the Symantec LAN Enforcer appliance on the SymantecEndpoint Protection Manager Console

■ Chapter 9. Setting up temporary connections for Symantec Network AccessControl On-Demand clients

1Section

■ Chapter 10. Enforcer appliance command-line interface

■ Chapter 11. Enforcer appliance command-line interface reference

■ Chapter 12. Troubleshooting an Enforcer appliance

■ Chapter 13. Frequently asked questions about the Gateway, DHCP, or LANEnforcer appliances

24

Introducing the Enforcerappliance

This chapter includes the following topics:

■ About the Symantec Enforcer appliances

■ Types of enforcement

■ What you can do with Symantec Network Access Control Enforcer appliances

■ About Host Integrity policies and the Enforcer appliance

■ How the Gateway Enforcer appliance works

■ How the DHCP Enforcer appliance works

■ How the LAN Enforcer appliance works

■ Support for third-party enforcement solutions

■ Where to find more information about the Symantec Enforcer appliances

About the Symantec Enforcer appliancesSymantec Enforcers are the optional network components that work with theSymantec Endpoint Protection Manager.

The following Linux-based Symantec Enforcer appliances work with managedclients, such as Symantec Endpoint Protection clients, and Symantec NetworkAccess Control clients to protect the enterprise network:

■ Symantec Network Access Control Gateway Enforcer appliance

■ Symantec Network Access Control DHCP Enforcer appliance

1Chapter

■ Symantec Network Access Control LAN Enforcer appliance

All Windows-based Symantec Enforcers work with managed clients, such as theSymantec Endpoint Protection client and the Symantec Network Access Controlclient to protect the enterprise network.

Note: The Symantec Network Access Control Integrated Enforcer for MicrosoftNetwork Access Protection does not work with guest clients, such as the SymantecNetwork Access Control On-Demand clients on the Windows and Macintoshplatforms.

Installation, configuration, and administration instructions are included in thedocumentation for the following Windows-based Enforcers:

■ Symantec Network Access Control Integrated Enforcer for Microsoft DHCPserversSee “About the Symantec NAC Integrated Enforcer for Microsoft DHCP Servers”on page 305.

■ Symantec Network Access Control Integrated Enforcer for Microsoft NetworkAccess ProtectionSee “About the Integrated Enforcer for Microsoft Network Access Protection”on page 371.

■ Symantec Network Access Control Integrated DHCP Enforcer for Alcatel-LucentVitalQIP DHCP serversSee “About the Integrated Enforcer for Alcatel-Lucent VitalQIP DHCP Servers(Integrated Lucent Enforcer)” on page 323.

Types of enforcementTable 1-1 lists the optional Enforcer appliances and Windows-based Enforcers.

Introducing the Enforcer applianceTypes of enforcement

26

Table 1-1 Types of enforcement

DescriptionType of Enforcerappliance

Provides the enforcement at access points for the externalcomputers that connect remotely through one of the followingmethods:

■ Virtual private network (VPN)

■ Wireless LAN

■ Remote Access Server (RAS)

You can also set up the Gateway Enforcer appliance to restrictaccess to certain servers by allowing only specified IP addresses.The Symantec Gateway Enforcer is supported on an Enforcerappliance.

See “How the Gateway Enforcer appliance works” on page 32.

See “Installation planning for a Gateway Enforcer appliance”on page 42.

Symantec GatewayEnforcer appliance

Provides the enforcement for the clients that connect to thenetwork through a switch or a wireless access point that supports802.1x authentication. The LAN Enforcer appliance acts as aRemote Authentication Dial-In User Service (RADIUS) proxy. Itcan work with or without a RADIUS server that providesuser-level authentication. The Symantec LAN Enforcer issupported on an Enforcer appliance.

See “How the LAN Enforcer appliance works” on page 35.

See “Installation planning for a LAN Enforcer appliance”on page 61.

Symantec LAN Enforcerappliance

Provides the enforcement for the clients that gain access to thenetwork. Clients receive a dynamic IP address through a DynamicHost Configuration Protocol (DHCP) server.The Symantec DHCPEnforcer is supported on an Enforcer appliance.

See “How the DHCP Enforcer appliance works” on page 33.

See “Installation planning for a DHCP Enforcer appliance”on page 52.

Symantec DHCPEnforcer appliance

27Introducing the Enforcer applianceTypes of enforcement

Table 1-1 Types of enforcement (continued)

DescriptionType of Enforcerappliance

Provides the enforcement for the clients that gain access to thenetwork. Clients receive a dynamic IP address through a DynamicHost Configuration Protocol (DHCP) server. The SymantecIntegrated DHCP Enforcer is supported on the Windows platform.The Symantec Integrated Enforcer for Microsoft DHCP Serversis not supported on an Enforcer appliance.

See “How an Integrated Enforcer for Microsoft DHCP Serversworks” on page 306.

See “Planning for the placement of an Integrated Enforcer forMicrosoft DHCP Servers” on page 313.

Symantec IntegratedEnforcer for MicrosoftDHCP Servers

Provides the enforcement for the clients that gain access to thenetwork. Clients receive a dynamic IP address or pass 802.1xauthentication through a Dynamic Host Configuration Protocol(DHCP) server. The Symantec Integrated NAP Enforcer issupported on the Windows Server 2008 platform. The SymantecIntegrated Enforcer for Microsoft Network Access Protection isnot supported on an Enforcer appliance.

Symantec IntegratedEnforcer for MicrosoftNetwork AccessProtection

Provides the enforcement for the clients that gain access to thenetwork. Clients receive a dynamic IP address or pass 802.1xauthentication through a Dynamic Host Configuration Protocol(DHCP) server. The Symantec Integrated DHCP Enforcer issupported on the Windows platform. The Symantec IntegratedDHCP Enforcer for Alcatel-Lucent VitalQIP DHCP Servers is notsupported on an Enforcer appliance.

Symantec IntegratedEnforcer forAlcatel-Lucent VitalQIPDHCP Servers

What you can do with Symantec Network AccessControl Enforcer appliances

The optional Enforcer appliance is installed at network endpoints for externalclients or internal clients.

For example, you can install an Enforcer appliance between the network and aVPN server or in front of a DHCP server. You can also set it up for enforcementon the client computers that connect to the network with an 802.1x-aware switchor a wireless access point.

An Enforcer appliance performs host authentication rather than user-levelauthentication. It ensures that the client computers that try to connect to an

Introducing the Enforcer applianceWhat you can do with Symantec Network Access Control Enforcer appliances

28

enterprise network comply with the security policies of that enterprise. You canconfigure a company's security policies on the Symantec Endpoint ProtectionManager.

If the client does not comply with the security policies, the Enforcer appliancecan take the following actions:

■ Block its access to the network.

■ Allow access to limited resources only.

The optional Enforcer appliance can redirect the client to a quarantine area witha remediation server. The client can then obtain the required software,applications, signature files, or patches from the remediation server.

For example, part of a network may already be configured for the clients thatconnect to the local area network (LAN) through 802.1x-aware switches. If thatis the case, you can use a LAN Enforcer appliance for these clients.

You can also use a LAN Enforcer appliance for the clients that connect througha wireless access point that is 802.1x-enabled.


See “Installation planning for a LAN Enforcer appliance” on page 61.

You may have other parts of the network that are not set up for 802.1x support.You can use a DHCP Enforcer appliance to manage enforcement for these clients.


See “Installation planning for a DHCP Enforcer appliance” on page 52.

If you have employees who work remotely and connect through a VPN or dial-up,you can use the Gateway Enforcer appliance for those clients.

You can also use the Gateway Enforcer appliance if a wireless access point is not802.1x-enabled.


See “Installation planning for a Gateway Enforcer appliance” on page 42.

If high availability is required, you can install two or more Gateway Enforcer,DHCP, or LAN Enforcer appliances at the same location to provide failover.

See “Failover planning for Gateway Enforcer appliances” on page 49.

See “Failover planning for DHCP Enforcer appliances” on page 57.

See “Failover planning for LAN Enforcer appliances” on page 64.

If you want to implement high availability for LAN Enforcer appliances, you mustinstall multiple LAN Enforcer appliances and the 802.1x-aware switch. Highavailability is accomplished through the addition of the 802.1x-aware switch. If

29Introducing the Enforcer applianceWhat you can do with Symantec Network Access Control Enforcer appliances

you only install multiple LAN Enforcer appliances without an 802.1x-aware switch,then high availability fails. You can configure an 802.1x-aware switch for highavailability.

For information about the configuration of an 802.1x-aware switch for highavailability, see the accompanying documentation for the 802.1x-aware switch.

In some network configurations, a client may connect to a network through morethan one Enforcer appliance. After the first Enforcer appliance providesauthentication to the client, all the remaining Enforcer appliances mustauthenticate the client before the client can connect to the network.

About Host Integrity policies and the Enforcerappliance

The security policies that all Enforcer appliances check on client computers arecalled Host Integrity policies. You create and manage Host Integrity policies onthe console of a Symantec Endpoint Protection Manager.

Host Integrity policies specify the software that is required to run on a client. Forexample, you can specify that the following security software that is located ona client computer must comply with certain requirements:

■ Antivirus software

■ Antispyware software

■ Firewall software

■ Patches

■ Service packs

If the predefined requirements do not meet your needs, you can also customizethe requirements.

See the Administration Guide for Symantec Endpoint Protection and SymantecNetworkAccessControl for more information about how configure and customizeHost Integrity policies.

You can configure clients to run Host Integrity checks at various times. When aclient tries to connect to the network, it runs a Host Integrity check. It then sendsthe results to an Enforcer appliance.

Typically the Enforcer appliance is set up to verify that the client passes the HostIntegrity check before it grants network access to the client. If the client passesthe Host Integrity check, it is in compliance with the Host Integrity policy at yourcompany. However, each type of Enforcer appliance defines the network accesscriteria differently.

Introducing the Enforcer applianceAbout Host Integrity policies and the Enforcer appliance

30




Communication between an Enforcer appliance and a SymantecEndpoint Protection Manager

The Enforcer appliance stays connected to the Symantec Endpoint ProtectionManager. At regular intervals (the heartbeat), the Enforcer appliance retrievessettings from the management server that controls how it operates. When youmake any changes on the management server that affect the Enforcer appliance,the Enforcer appliance receives the update during the next heartbeat. The Enforcerappliance transmits its status information to the management server. It can logthe events that it forwards to the management server. The information thenappears in the logs on the management server.

The Symantec Endpoint Protection Manager maintains a list of managementservers with replicated database information. It downloads the managementserver list to connected Enforcers and managed clients and guest clients. If theEnforcer appliance loses communication with one management server, it canconnect to another management server that is included in the management serverlist. If the Enforcer appliance is restarted, it uses the management server list toreestablish a connection to a management server.

When a client tries to connect to the network through the Enforcer appliance, theEnforcer appliance authenticates the client unique identifier (UID). The Enforcerappliance sends the UID to the management server and receives an accept responseor a reject response.

If an Enforcer appliance is configured to authenticate the UID, it can retrieveinformation from the management server. The Enforcer appliance can thendetermine if the client profile has been updated with the latest security policies.If the client information, such as the client identifier or client profile, changes onthe management server, the management server can send the information to theEnforcer appliance. The Enforcer appliance can again perform host authenticationon the client.

Communication between the Enforcer appliance and clientsThe communication between the Enforcer appliance and a client begins when theclient tries to connect to the network. The Enforcer appliance can detect whethera client is running. If a client is running, the Enforcer begins the authenticationprocess with the client. The client responds by running a Host Integrity checkand by sending the results, along with its profile information, to the Enforcer.

31Introducing the Enforcer applianceAbout Host Integrity policies and the Enforcer appliance

The client also sends its unique identifier (UID), which the Enforcer passes on tothe Manager for authentication. The Enforcer appliance uses the profileinformation to verify that the client is up to date with the latest security policies.If not, the Enforcer appliance notifies the client to update its profile.

After the DHCP Enforcer or Gateway Enforcer appliance allows the client toconnect to a network, it continues to communicate with the client at a regularpredefined interval. This communication enables the Enforcer appliance tocontinue to authenticate the client. For the LAN Enforcer appliance, the 802.1xswitch handles this periodic authentication. For example, 802.1 switch starts anew authentication session when re-authentication time comes.

The Enforcer appliance needs to run at all times; otherwise the clients that try toconnect to the corporate network may be blocked.

How the Gateway Enforcer appliance worksGateway Enforcer appliances perform one-way checking. They check the clientsthat try to connect through the Gateway Enforcer appliance's external NIC to thecompany's network.

A Gateway Enforcer appliance uses the following processes to authenticate aclient:

■ When a client tries to access the network, the Gateway Enforcer appliancefirst checks whether the client runs the Symantec Endpoint Protection clientor the Symantec Network Access Control client. If the client runs any of theclient software, the Gateway Enforcer appliance begins the host authenticationprocess.

■ The client that runs on a user's computer performs a Host Integrity check. Itthen passes the results to the Gateway Enforcer appliance with its identificationinformation and information about the status of its security policy.

■ The Gateway Enforcer appliance verifies with the Symantec EndpointProtection Manager that the client is a legitimate client and that its securitypolicy is up to date.

■ The Gateway Enforcer appliance verifies that the client has passed the HostIntegrity check and therefore complies with the security policies.

■ If all processes pass, the Gateway Enforcer appliance allows the client toconnect to the network.

If a client does not satisfy the requirements for access, you can set up the GatewayEnforcer appliance to perform the following actions:

■ Monitor and log certain events.

Introducing the Enforcer applianceHow the Gateway Enforcer appliance works

32

■ Block users if the Host Integrity check failed.

■ Display a pop-up message on the client.

■ Provide the client with limited access to the network to allow the use of networkresources for remediation.

To set up the Gateway Enforcer appliance authentication, you can configure whichclient IP addresses to check. You can specify the trusted external IP addressesthat the Gateway Enforcer appliance allows without authentication. Forremediation, you can configure the Gateway Enforcer appliance to allow clientsaccess to trusted internal IP addresses. For example, you can allow clients to haveaccess to an update server or a file server that contains antivirus DAT files.

For clients without the Symantec client software, you can redirect client HTTPrequests to a Web server. For example, you can provide additional instructionson where to obtain remediation software or allow a client to download clientsoftware.

You can also configure the Gateway Enforcer appliance to allow non-Windowsclients to access the network. The Gateway Enforcer appliance functions as abridge instead of a router. As soon as a client is authenticated, the GatewayEnforcer appliance forwards packets to allow the client to have access to thenetwork.

How the DHCP Enforcer appliance worksA DHCP Enforcer appliance is used inline as a secure policy-enforcing bridge toprotect an internal network. The clients that try to connect to the network senda DHCP request for a dynamic IP address. The switch or the router that acts as aDHCP relay client routes the DHCP request to the DHCP Enforcer appliance. TheDHCP Enforcer appliance is configured inline in front of the DHCP server. Beforeit forwards the DHCP request to the DHCP server, the Enforcer appliance verifiesthat clients comply with security policies.

If a client complies with security policies, the DHCP Enforcer appliance sends theclient request for an IP address to the normal DHCP Server. If the agent does notcomply with the security policies, the Enforcer connects it to the quarantine DHCPserver. The quarantine server assigns the client to a quarantine networkconfiguration.

You can install one DHCP server on one computer and configure it to provide botha normal and a quarantine network configuration. To complete the DHCP Enforcerappliance solution, the administrator needs to set up a remediation server. Theremediation server restricts the access of the quarantined clients so that suchclients can interact only with the remediation server. If high availability is

33Introducing the Enforcer applianceHow the DHCP Enforcer appliance works

required, then you can install two or more DHCP Enforcers appliances to providefailover capabilities.

The DHCP Enforcer enforces security policies on the clients that try to access aDHCP server. It does not block the DHCP request if the client fails authentication.The DHCP Enforcer appliance forwards the DHCP request to a quarantine DHCPserver for a short-term, restricted-range network configuration.

When the client first sends the DHCP request, the DHCP Enforcer applianceforwards it to the quarantine DHCP server for a temporary IP address with a shortlease time. The DHCP Enforcer appliance can then begin its authentication processwith the client.

The DHCP Enforcer appliance authenticates clients by using the following methods:

■ When a client tries to access the enterprise network, the Enforcer appliancefirst checks whether the client computer runs the Symantec Network AccessControl client software. If the client computer runs the Symantec NetworkAccess Control client software, the Enforcer appliance begins the process forhost authentication.

■ The Symantec client software that runs on the client computer performs aHost Integrity check. The client then passes the results to the Enforcerappliance, along with its identification information and information about thestatus of its security policy.

■ The DHCP Enforcer appliance verifies with the Symantec Endpoint ProtectionManager that the client is a legitimate client and that its security policy is upto date.

■ The DHCP Enforcer appliance verifies that the client has passed the HostIntegrity check and therefore complies with the security policies.

■ If all steps are passed, the DHCP Enforcer appliance ensures that the quarantineIP address is released. The DHCP Enforcer appliance then routes the clientDHCP request to the normal DHCP server. The client then receives a normalIP address and network configuration.

If the client does not meet the security requirements, the DHCP Enforcer applianceensures that the DHCP request is renewed with the quarantine DHCP server. Theclient receives a quarantine network configuration, which must be set up to allowaccess to a remediation server.

The DHCP Enforcer appliance can be configured to allow non-Windows clients tohave access to the normal DHCP server.

Introducing the Enforcer applianceHow the DHCP Enforcer appliance works

34

How the LAN Enforcer appliance worksThe LAN Enforcer appliance acts as a Remote Authentication Dial-In User Service(RADIUS) proxy.

You can use the LAN Enforcer appliance with a RADIUS server to do the followingactions:

■ Perform traditional 802.1x/EAP user authentication.You deny network access to rogue computers. Any users that try to connectto the network must authenticate through RADIUS first.

■ Verify that client computers comply with the security policies set on themanagement server (host authentication).You can enforce security policies, such as ensuring that the computer has thecorrect antivirus software, patches, or other software. You can validate thatthe client computer runs the Symantec client and that it passed the HostIntegrity check.

In the networks that do not use a RADIUS server, the LAN Enforcer applianceperforms host authentication only.

A LAN Enforcer appliance communicates with a switch or wireless access pointthat supports EAP/802.1x authentication. The switch or wireless access point isoften configured into two or more virtual local area networks (VLANs). Symantecclients on client computers pass the EAP information or Host Integrity informationto the switch by using the EAPOL (EAP over LANs) protocol. The switch forwardsthe information to the LAN Enforcer appliance for authentication.

You can configure the LAN Enforcer appliance with a set of possible responses toan authentication failure. The responses depend on the type of authenticationfailure: host authentication or EAP user authentication.

If you use a switch or wireless access point, you can set up the LAN Enforcerappliance to direct an authenticated client to different VLANs. The switch orwireless access point must provide dynamic VLAN switching capability. TheVLANs might include a remediation VLAN.

If you use the LAN Enforcer with a RADIUS server, you can configure multipleRADIUS server connections for the Enforcer. If a RADIUS server connection isdown, the LAN Enforcer appliance can switch to a different one. In addition,multiple LAN Enforcer appliances can be set up to connect to the switch. If oneLAN Enforcer appliance fails to respond, a different LAN appliance Enforcer canhandle the authentication.

35Introducing the Enforcer applianceHow the LAN Enforcer appliance works

How LAN Enforcer basic configuration worksIf you are familiar with 802.1x authentication, you can view details about theclients that try to access the network by using the basic configuration. You canuse this information for troubleshooting network connections.

Basic configuration of 802.1x LAN Enforcement works as follows:

■ A supplicant (for example, a client computer) tries to access the networkthrough an authenticator (for example, an 802.1x switch).

■ The switch sees the computer and requests identification.

■ The 802.1x supplicant on the computer prompts the user for a user name andpassword, and responds with its identification.

■ The switch forwards this information to the LAN Enforcer, which then forwardsit to the RADIUS server.

■ The RADIUS server generates an EAP challenge by selecting an EAP type thatis based on its configuration.

■ The LAN Enforcer receives this challenge, adds a Host Integrity challenge, andforwards it to the switch.

■ The switch forwards the EAP and Host Integrity challenges to the client.

■ The client receives the challenges and sends a response.

■ The switch receives the response and forwards it to the LAN Enforcer.

■ The LAN Enforcer examines the Host Integrity check result and client statusinformation and forwards it to the RADIUS server.

■ The RADIUS Server performs EAP authentication and sends the result backto the LAN Enforcer.

■ The LAN Enforcer receives the authentication results and forwards the resultand action to take.

■ The switch selects the appropriate action and allows normal network access,blocking access, or permitting access to an alternate VLAN depending on theresults.

How LAN Enforcer transparent mode worksLAN Enforcer transparent mode works in the following ways:

■ A supplicant (for example, a client computer) tries to access the networkthrough an authenticator (for example, an 802.1x switch).

■ The authenticator sees the computer and sends an EAP authentication packet(EAP traffic only allowed).

Introducing the Enforcer applianceHow the LAN Enforcer appliance works

36

■ The client that acts as an EAP supplicant sees the authentication packet andresponds with Host Integrity authentication.

■ The switch sends Host Integrity authentication results to the LAN Enforcerappliance that runs as a RADIUS Proxy server.

■ LAN Enforcer appliance replies to the switch with information about the VLANassignments that is based on authentication results.

About 802.1x authenticationIEEE 802.1X-2001 is a standard that defines access control for wireless and wiredLANs. The standard provides a framework for authenticating and controlling usertraffic on a protected network. The standard specifies the use of the ExtensibleAuthentication Protocol (EAP), which uses a centralized authentication server,such as Remote Authentication Dial-In User Service (RADIUS).

The server authenticates each user that tries to access the network. The 802.1xstandard includes the specifications for EAP-over-LAN (EAPOL). EAPOL is usedfor encapsulating EAP messages in link layer frames (for example, Ethernet) andalso provides control functions.

The 802.1x architecture includes the following key components:

The entity that brokers the authentication, such as an802.1x-compliant LAN switch or wireless access point

Authenticator

The entity that provides the actual authentication by validatingthe credentials that are supplied in response to the challenge,such as a RADIUS server

Authentication Server

The entity that seeks network access and tries to successfullyauthenticate, such as a computer

Supplicant

When a supplicant device is connected to a network switch authenticator with802.1x enabled, the following process occurs:

■ The switch issues an EAP Identity Request.

■ The EAP supplicant software responds with an EAP Identity Response, whichis forwarded to the authentication server (for example, RADIUS) by the switch.

■ The authentication server issues an EAP Challenge, which is forwarded to thesupplicant by the switch.

■ The user enters authentication credentials (user name and password, token,and so forth).

37Introducing the Enforcer applianceHow the LAN Enforcer appliance works

■ The supplicant sends an EAP Challenge Response, including the user-suppliedcredentials, to the switch, which forwards it to the authentication server.

■ The authentication server validates the credentials and replies with an EAPor User Authentication result, which indicates the success or failure of theauthentication.

■ If authentication succeeds, the switch permits access for normal traffic. Ifauthentication fails, client device access is blocked. The supplicant is notifiedof the result in either case.

Only EAP traffic is permitted during the authentication process.

For details on EAP, refer to the IETF’s RFC 2284 at the following URL:

http://www.ietf.org/rfc/rfc2284.txt

For additional details on IEEE Standard 802.1x, refer to the text of the standardat the following URL:

http://standards.ieee.org/getieee802/download/802.1x-2001.pdf

Support for third-party enforcement solutionsSymantec provides the enforcement solutions for the following third-partyvendors:

■ Universal Enforcement APISymantec has developed the Universal Enforcement API to allow other vendorswith related technology to integrate their solutions with the Symantec software.

■ Cisco Network Admissions ControlSymantec clients can support the Cisco Network Admissions Controlenforcement solution.

Where to find more information about the SymantecEnforcer appliances

Table 1-2 lists the various sources that provide information about related thetasks that you may need to perform before or after an Enforcer has been installed.

Introducing the Enforcer applianceSupport for third-party enforcement solutions

38

http://www.ietf.org/rfc/rfc2284.txt

http://standards.ieee.org/getieee802/download/802.1x-2001.pdf

Table 1-2 Symantec Enforcer documentation

UsageEnforcer document

Describes how to install the Symantec EndpointProtection Manager, Symantec EndpointProtection client, and Symantec Network AccessControl clients. It also explains how to configurethe embedded and Microsoft SQL database, andto set up replication.

Installation Guide for SymantecEndpoint Protection and SymantecNetwork Access Control

Describes how to configure and administer theSymantec Endpoint Protection Manager, theSymantec Endpoint Protection clients, and theSymantec Network Access Control clients. It alsodescribes how to set up the Host Integrity policiesthat an Enforcer uses to implement complianceon client computers.

Administration Guide for SymantecEndpoint Protection and SymantecNetwork Access Control

Describes how to use the Symantec EndpointProtection clients and the Symantec NetworkAccess Control clients.

Client Guide for Symantec EndpointProtection and Symantec NetworkAccess Control

Describes how to install and administer all typesof Symantec Network Access Control appliancesand integrated enforcers. Also explains how touse the on-demand clients for Macintosh andLinux.

Enforcer Implementation Guide forSymantec Network Access Control

Explains how to use the Symantec EndpointProtection Manager, the Symantec EndpointProtection client, the Symantec Network AccessControl clients. Also explains the use of each ofthe Integrated Enforcers.

Online Help

Explains how to use the Macintosh and Linuxon-demand clients.

Online Help for the On-Demand clients

Provides help when you type the ? key on thecommand line interface (CLI) command line.

Enforcer Command-Line Interface Help

Includes the latest information about criticalEnforcer-related the defects that may also affectthe Symantec Endpoint Protection Manager.

readme.txt file

39Introducing the Enforcer applianceWhere to find more information about the Symantec Enforcer appliances

Introducing the Enforcer applianceWhere to find more information about the Symantec Enforcer appliances

40

Planning for the Enforcerappliance installation


■ Installation planning for Enforcer appliances

■ Installation planning for a Gateway Enforcer appliance

■ Failover planning for Gateway Enforcer appliances

■ Installation planning for a DHCP Enforcer appliance

■ Failover planning for DHCP Enforcer appliances

■ Installation planning for a LAN Enforcer appliance

■ Failover planning for LAN Enforcer appliances

Installation planning for Enforcer appliancesYou must plan where to integrate the following Linux-based Symantec NetworkAccess Control Enforcer appliances in a network:

■ Symantec Network Access Control Gateway Enforcer applianceSee “Installation planning for a Gateway Enforcer appliance” on page 42.

■ Symantec Network Access Control DHCP Enforcer applianceSee “Installation planning for a DHCP Enforcer appliance” on page 52.

■ Symantec Network Access Control LAN Enforcer applianceSee “Installation planning for a LAN Enforcer appliance” on page 61.

■ Symantec Network Access Control Integrated DHCP Enforcer for MicrosoftDHCP Servers

2Chapter

See “About planning for the installation of an Integrated Enforcer for MicrosoftDHCP Servers” on page 311.

■ Symantec Network Access Control Integrated DHCP Enforcer for MicrosoftNetwork Access Protection ServersSee “About planning for the installation of the Symantec Integrated NAPEnforcer” on page 373.

■ Symantec Network Access Control Integrated DHCP Enforcer for Alcatel-LucentVitalQIP DHCP ServersSee “About planning for the installation of an Integrated Lucent Enforcer”on page 329.

Installationplanning for aGatewayEnforcer applianceSeveral types of planning information can help you implement Gateway Enforcerappliances in a network.

You can place the Gateway Enforcer appliance to help protect the following areasin a network:

■ General placementSee “Where to place a Gateway Enforcer appliance” on page 42.

■ See “Guidelines for IP addresses on a Gateway Enforcer appliance” on page 45.

■ See “About two Gateway Enforcer appliances in a series” on page 45.

■ See “Protection of VPN access through a Gateway Enforcer appliance”on page 46.

■ See “Protection of wireless access points through a Gateway Enforcerappliance” on page 46.

■ See “Protection of servers through a Gateway Enforcer appliance” on page 46.

■ See “Protection of non-Windows servers and clients through a GatewayEnforcer appliance” on page 47.

■ See “Requirements for allowing non-Windows clients without authentication”on page 48.

Where to place a Gateway Enforcer applianceYou can place Gateway Enforcers at locations where all traffic must pass througha Gateway Enforcer before a client can do the following actions:

■ Connect to a corporate network.

■ Reach the secured areas of a network.

Planning for the Enforcer appliance installationInstallation planning for a Gateway Enforcer appliance

42

See “Guidelines for IP addresses on a Gateway Enforcer appliance” on page 45.

You typically can place Gateway Enforcer appliances at the following locations:

Between virtual private network (VPN) concentrators and thecorporate network

VPN

Between a wireless access point and the corporate networkWireless Access Point(WAP)

In front of corporate serversServers

Larger organizations may require a Gateway Enforcer appliance to protect everynetwork entry point. Gateway Enforcers are typically located in different subnets.In most cases, you can integrate Gateway Enforcer appliances into a corporatenetwork without having to make hardware configuration changes.

You can place Gateway Enforcer appliances next to a wireless access point (WAP)or a virtual private network (VPN). In a corporate network you can also safeguardservers that contain sensitive information. Gateway Enforcer appliances mustuse two network interface cards (NICs).

Figure 2-1 provides an example of where you can place Gateway Enforcerappliances in the overall network configuration.

43Planning for the Enforcer appliance installationInstallation planning for a Gateway Enforcer appliance

Figure 2-1 Placement of Gateway Enforcer appliances

Remote clients

Inside company

Outside company

Corporatefirewall

VPN

VPNServer

Internal clientsInternal wirelessclients

Wireless

WirelessAccess Point

Corporate Backbone

Protected servers

Internal clients

Symantec EndpointProtection Manager

External NIC

Internal NIC

GatewayEnforcer

External NIC

Internal NIC

GatewayEnforcer

External NIC

Internal NIC

GatewayEnforcer

External NIC

Internal NIC

GatewayEnforcer

Internet

Another location where a Gateway Enforcer appliance protects a network is at aremote access server (RAS). Clients can dial to connect to a corporate network.RAS dial-up clients are configured similarly to wireless and VPN clients. The


44

external NIC connects to the RAS server and the internal NIC connects to thenetwork.

Guidelines for IP addresses on a Gateway Enforcer applianceYou follow these guidelines when you set up the internal NIC address for a GatewayEnforcer appliance:

■ A Gateway Enforcer appliance's internal NIC must be able to communicatewith a Symantec Endpoint Protection Manager. By default, the internal NICmust face a Symantec Endpoint Protection Manager.

■ Clients must be able to communicate with the Gateway Enforcer appliance’sinternal IP address. The VPN server or wireless AP can be in a different subnetif the clients can get routed to the same subnet as the Gateway Enforcerappliance's internal IP address.

■ For the Gateway Enforcer appliance that protects internal servers, the internalNIC connects to the VLAN that in turn connects to the servers.

■ If you use multiple Gateway Enforcer appliances in a failover configuration,the IP address of the internal NIC on each Gateway Enforcer appliance musthave its own IP address.

The Gateway Enforcer will generate a bogus external NIC address, based on theinternal NIC address. You do not need to configure this again if you install anotherGateway Enforcer.

About two Gateway Enforcer appliances in a seriesIf a network supports two Gateway Enforcer appliances in a series so that a clientconnects to the network through more than one Gateway Enforcer appliance, youmust specify the Enforcer appliance that is closest to the Symantec EndpointProtection Manager as a trusted internal IP address of the other Gateway Enforcerappliance. Otherwise a five-minute delay can occur before the client can connectto the network.

This delay can occur when the client runs a Host Integrity check that fails. Aspart of Host Integrity remediation, the client downloads the required softwareupdates. Then the client runs the Host Integrity check again. At that point theHost Integrity check passes, but network access is delayed.

See the Administration Guide for Symantec Endpoint Protection and SymantecNetwork Access Control for information about trusted internal IP addresses.


Protection of VPN access through a Gateway Enforcer applianceThe protection of VPN access is the first and most common reason for whichGateway Enforcer appliance is used. You can place Gateway Enforcer appliancesat VPN entry points to secure access to a corporate network. The Gateway Enforcerappliance is placed between the VPN server and the corporate network. It allowsaccess only to authorized users and prevents access by anyone else.

Protection of wireless access points through a Gateway Enforcerappliance

Enforcer appliances protect the corporate network at wireless access points (WAP).The Gateway Enforcer appliance ensures that anyone who connects to the networkby using wireless technology runs the client and meets the security requirements.

After these conditions are met, the client is granted access to the network. TheGateway Enforcer appliance is placed between the WAP and the corporate network.The external NIC points toward the WAP and the internal NIC points toward thecorporate network.

Protection of servers through a Gateway Enforcer applianceGateway Enforcer appliances can protect the corporate servers that hold sensitiveinformation in the corporate network. An organization may place important dataon the servers that may be located in a locked computer room. Only systemadministrators may have access to the locked computer room.

The Gateway Enforcer appliance acts like an additional lock on the door. It doesso by allowing only the users that meet its criteria to access the protected servers.Servers locate the internal NIC in this setup. However, users who try to gain accessmust pass through the external NIC.

To safeguard these servers, you can limit access only to clients with designatedIP addresses and you can set up strict Host Integrity rules. For example, you canconfigure a Gateway Enforcer appliance to protect servers in a network. A GatewayEnforcer appliance can be located between clients on a corporate LAN and theservers that it safeguards. The external NIC points to the corporate LAN insidethe company and the internal NIC points toward the protected servers. Thisconfiguration prevents unauthorized users or clients from gaining access to theservers.


46

Protection of non-Windows servers and clients through a GatewayEnforcer appliance

You can install the servers and the clients on an operating system other thanMicrosoft Windows. However, the Gateway Enforcer appliance cannot authenticateany servers and clients that do not run on a computer that does not supportMicrosoft Windows.

If an organization includes servers and clients with operating systems on whichthe client software is not installed, you must decide about which of the followingmethods to use:

■ Implement support through a Gateway Enforcer appliance.

■ See “Implementation of non-Windows support through a Gateway Enforcerappliance” on page 47.

■ Implement support without a Gateway Enforcer appliance.See “Implementation of non-Windows without a Gateway Enforcer appliance”on page 47.

Implementation of non-Windows support through a GatewayEnforcer applianceYou can implement support for non-Windows clients by configuring the GatewayEnforcer appliance to allow all non-Windows clients to access the network. If youconfigure the Gateway Enforcer appliance in this way, it performs operatingsystem detection to identify the clients that run non-Windows operating systems.

Implementation of non-Windows without a Gateway EnforcerapplianceYou can implement support for non-Windows clients by allowing non-Windowsclients to access the network through a separate access point.

You can connect the following clients that support non-Windows operating systemsthrough a separate VPN server:

■ One VPN Server can support the clients that have the client software installedon them. The Windows-based client computers can connect to the corporatenetwork through a Gateway Enforcer appliance.

■ Another VPN server can support the clients that run non-Windows operatingsystems. The non Windows-based client computer can then connect to thecorporate network without a Gateway Enforcer appliance.


Requirements for allowing non-Windows clients without authenticationYou can configure the Gateway Enforcer appliance to allow non-Windows clientswithout authentication.

See “Requirements for non-Windows clients” on page 48.

When a client tries to access the corporate network through a Gateway Enforcerappliance, the Enforcer appliance first checks whether the client software hasbeen installed on the client computer. If the client does not run and if the optionto allow non-Windows clients is set, the Gateway Enforcer appliance checks theoperating system.

It checks the operating system by sending packets of information to probe theclient to detect the type of operating system that it currently runs. If the clientruns a non-Windows operating system, the client is allowed regular networkaccess.

Requirements for Windows clientsWhen a Gateway Enforcer appliance is configured to allow non-Windows clientsto connect to a network, it first tries to determine a client’s operating system. Ifthe operating system is a Windows-based operating system, the Gateway Enforcerappliance authenticates the client. Otherwise, the Gateway Enforcer applianceallows the client to connect to the network without authentication.

For the Gateway Enforcer appliance to correctly detect that an operating systemis a Windows operating system, the following requirements must be met on theWindows client:

■ The Client for Microsoft Networks option must be installed and enabled onthe client.See the Windows documentation.

■ The UDP port 137 must be open on the client. It must be accessible by theGateway Enforcer.

If a Windows client fails to meet these requirements, the Gateway Enforcerappliance may interpret the Windows client to be a non-Windows client. Thereforethe Gateway Enforcer appliance can allow the non-Windows client to connect tothe network without authentication.

Requirements for non-Windows clientsThe Gateway Enforcer appliance must meet the following requirements before itallows a Macintosh client to connect to a network:

■ Windows Sharing must be on.This default setting is enabled.


48

■ Macintosh built-in firewall must be off.This setting is the default.

The Gateway Enforcer has the following requirement to allow a Linux client:

■ The Linux system must run the Samba service.

Failover planning for Gateway Enforcer appliancesAn enterprise can support two Gateway Enforcer appliances that are configuredto continue operations when one of the Gateway Enforcer appliances fail. If aGateway Enforcer appliance fails in a network that is not configured for failover,then network access at that location is automatically blocked. If a Gateway Enforcerappliance fails in a network that does not provide for failover, the clients can nolonger connect to the network. The clients continue to be blocked from connectingto the network until the problem with the Gateway Enforcer appliance is corrected.

For a Gateway Enforcer appliance, failover is implemented through the GatewayEnforcer appliance itself instead of third-party switches. If the configuration isset up correctly, the Symantec Endpoint Protection Manager automaticallysynchronizes the settings for the failover Gateway Enforcer appliances.

How failover works with Gateway Enforcer appliances in the networkThe Gateway Enforcer appliance that is operational is called the active GatewayEnforcer appliance. The backup Gateway Enforcer appliance is called the standbyGateway Enforcer appliance. The active Gateway Enforcer appliance is also referredto as the primary Gateway Enforcer appliance. If the active Gateway Enforcerappliance fails, the standby Gateway Enforcer appliance takes over theenforcement tasks.

The sequence in which the two Gateway Enforcer appliances are started is asfollows:

■ When the first Gateway Enforcer appliance is started, it runs in standby mode.While in standby mode, it queries the network to determine whether anotherGateway Enforcer appliance runs. It sends out three queries to search foranother Gateway Enforcer. Therefore it can take a few minutes to change itsstatus to Online.

■ If the first Gateway Enforcer appliance does not detect another GatewayEnforcer appliance, the first Gateway Enforcer appliance becomes the activeGateway Enforcer appliance.

■ While the active Gateway Enforcer appliance runs, it broadcasts failoverpackets on both the internal and the external networks. It continues tobroadcast the failover packets.

49Planning for the Enforcer appliance installationFailover planning for Gateway Enforcer appliances

■ As soon as the second Gateway Enforcer appliance is started, it runs in standbymode. It queries the network to determine whether another Gateway Enforcerappliance runs.

■ The second Gateway Enforcer appliance then detects the active GatewayEnforcer appliance that is running and therefore remains in standby mode.

■ If the active Gateway Enforcer appliance fails, it stops to broadcast failoverpackets. The standby Gateway Enforcer appliance no longer detects an activeGateway Enforcer appliance. Therefore it now becomes the active GatewayEnforcer appliance that handles network connections and security at thislocation.

■ If you start the other Gateway Enforcer appliance, it remains the standbyGateway Enforcer appliance because it detects that another Gateway Enforcerappliance is active.

Where to place Gateway Enforcer appliances for failover in a networkwith one or more VLANs

You set up a Gateway Enforcer appliance for failover by its physical location andby the configuration that you perform on the Symantec Endpoint ProtectionManager. If you use a hub that supports multiple VLANs, you can use only oneVLAN unless you integrate an 802.1q-aware switch instead of a hub.

The Gateway Enforcer appliance for failover must be set up on the same networksegment. A router or gateway cannot be installed between the two GatewayEnforcer appliances. A router or gateway does not forward the failover packet.The internal NICS must both connect to the internal network through the sameswitch or hub. The external NICs must both connect to the external VPN serveror access point through the same switch or hub.

You use similar processes to configure Gateway Enforcer appliances for failoverat a wireless AP, dial-up RAS, or other access points. The external NICs of bothGateway Enforcer appliances connect to the external network through a wirelessAP or RAS server. The internal NICs connect to the internal network or area thatis protected.

Figure 2-2 shows how to set up two Gateway Enforcer appliances for failover toprotect network access at a VPN concentrator.

Planning for the Enforcer appliance installationFailover planning for Gateway Enforcer appliances

50

Figure 2-2 Placement of two Gateway Enforcer appliances

Remote clients

Inside company

Outside company

Corporatefirewall

VPN

VPNServer

Internal clients

Corporate Backbone

Protected servers

Internal clients


External NIC

Internal NIC

GatewayEnforcer 1

Internet

Hub/VLANExternal NIC

Internal NIC

GatewayEnforcer 2

Hub/VLAN

51Planning for the Enforcer appliance installationFailover planning for Gateway Enforcer appliances

Setting up Gateway Enforcer appliances for failoverYou should familiarize yourself with the concepts that are involved in GatewayEnforcer appliance failover before you set up standby Enforcers.

See “How failover works with Gateway Enforcer appliances in the network”on page 49.

To set up Gateway Enforcer appliances for failover

1 Place the computers in the network.

See “Where to place Gateway Enforcer appliances for failover in a networkwith one or more VLANs” on page 50.

2 Set up the internal NICs.

The internal NICs on multiple Gateway Enforcer appliances must each havea different IP address.

See “Guidelines for IP addresses on a Gateway Enforcer appliance” on page 45.

Installation planning for a DHCP Enforcer applianceSeveral types of planning information can help you implement DHCP Enforcerappliances in a network.

You can place the DHCP Enforcer appliance to help protect the following areasin a network:

■ See “Where to place DHCP Enforcer appliances in a network” on page 52.

■ See “DHCP Enforcer appliance IP addresses” on page 54.

■ See “Protection of non-Windows clients with DHCP enforcement” on page 55.

■ See “About the DHCP server” on page 56.

Where to place DHCP Enforcer appliances in a networkIf you want to ensure that the DHCP Enforcer appliance can intercept all DHCPmessages between DHCP clients and DHCP servers, you must install the DHCPEnforcer as an inline device. The DHCP Enforcer must be installed between theclients and the DHCP Server.

The internal NIC of the DHCP Enforcer appliance connects to the DHCP servers.The external NIC of the DHCP Enforcer connects to the clients through a routeror switch, which acts as a DHCP relay agent. The Symantec Endpoint ProtectionManager also connects to the DHCP Enforcer appliance’s external NIC.

Planning for the Enforcer appliance installationInstallation planning for a DHCP Enforcer appliance

52

You can configure one DHCP Enforcer appliance to communicate with multipleDHCP servers. For example, you can have multiple DHCP servers on the samesubnet for failover purposes. If you have DHCP servers in different locations onthe network, each one requires a separate DHCP Enforcer appliance.

For each of your DHCP server locations, you configure a normal DHCP server anda quarantine DHCP server. You can configure the Enforcer to recognize multiplequarantine DHCP servers, as well as multiple normal DHCP servers.

Note:You can install one DHCP server on one computer and configure it to provideboth a normal and quarantine network configuration.

You also must set up a remediation server so that the clients that receivequarantine configurations can connect with the remediation server. Optionally,the Symantec Endpoint Protection Manager can run on the same computer as theremediation server. Neither the Symantec Endpoint Protection Manager nor theremediation server requires any direct connection with the DHCP Enforcerappliance or the DHCP servers.

If the client meets security requirements, the DHCP Enforcer appliance acts as aDHCP relay agent. The DHCP Enforcer appliance connects the client to the normalDHCP server and the client receives a regular network configuration. If the clientdoes not meet the security requirements, the DHCP Enforcer appliance connectsit to a quarantine DHCP server. The client then receives a quarantine networkconfiguration.

Figure 2-3 shows an example of the various components that are required for aDHCP Enforcer appliance and where they are placed.

Note: Although the illustration shows a quarantine DHCP server on a separatecomputer, only one computer is required. If you use only one computer, you mustconfigure the DHCP server to provide two different network configurations. Oneof the network configurations must be a quarantine network configuration.

53Planning for the Enforcer appliance installationInstallation planning for a DHCP Enforcer appliance

Figure 2-3 Placement of a DHCP Enforcer appliance

Symantec Endpoint Protection Manager

Hub/Switch

DHCP Server

Hub/Switch

Corporate Backbone

Clients

Relay Agent

Servers

External NIC

Internal NICDHCP Enforcer appliance

DHCP Enforcer appliance IP addressesWhen you set up an IP address for a DHCP Enforcer appliance, you must followcertain guidelines.

You follow these guidelines when you set up the internal NIC for a DHCP Enforcerappliance:

■ The DHCP Enforcer appliance’s internal IP address must be in the same subnetas the DHCP servers.


54

■ Clients must be able to communicate with the DHCP Enforcer appliance’sinternal IP address.

■ If you use multiple DHCP Enforcers in a failover configuration, the IP addressof the internal NIC on each DHCP Enforcer appliance must be different.

■ If you use multiple DHCP Enforcer appliances in a failover configuration,clients must be able to communicate with the internal IP address of both theactive and standby DHCP Enforcer appliances.

You follow these guidelines when you set up the external NIC for a DHCP Enforcerappliance:

■ The DHCP Enforcer appliance’s external IP address must be able tocommunicate with the Symantec Endpoint Protection Manager. It must be inthe same subnet as the IP range of the internal NIC. In this case, the SymantecEndpoint Protection Manager is located on one side of a switch while the DHCPEnforcer appliance is located on the other side of a switch.

■ If you use multiple DHCP Enforcer appliances in a failover configuration, theIP address of the external NIC on each DHCP Enforcer appliance must bedifferent.

Protection of non-Windows clients with DHCP enforcementYou can install the Symantec Endpoint Protection software or the SymantecNetwork Access Control software on the clients that run the Microsoft Windowsoperating system. The DHCP Enforcer cannot authenticate clients without theSymantec Endpoint Protection software. If an organization includes clients withoperating systems on which the software is not supported, such as Linux or Solaris,your planning must include how to handle these clients.

If you can implement support for non-Windows clients, you can configure theDHCP Enforcer appliance to allow all non-Windows clients to connect to thenetwork. When the DHCP Enforcer appliance is configured in this way, the DHCPEnforcer appliance performs operating system detection to identify the clientsthat run non-Windows operating systems.

As an alternate method, you can configure a DHCP Enforcer to allow specific MACaddresses to access the corporate network. When a client with a trusted MACaddress tries to connect to the network, the DHCP Enforcer forwards the client’sDHCP request to the normal DHCP server without authentication.

55Planning for the Enforcer appliance installationInstallation planning for a DHCP Enforcer appliance

About the DHCP serverYou can set up a separate quarantine DHCP server on a separate computer. Youcan also configure the same DHCP server to provide both normal and quarantinenetwork configurations.

The quarantine network configuration must provide access to the followingcomponents:

■ Remediation server

■ Symantec Endpoint Protection Manager

■ DHCP server

■ DHCP Enforcer appliance

If you use multiple DHCP Enforcer appliances for failover, the quarantine networkconfiguration must provide access to those components.

The quarantine IP address is used during DHCP Enforcer authentication as follows:

■ The DHCP Enforcer appliance initially gets a temporary quarantine IP addressfor the client to carry out the authentication with a client.If the authentication is successful, the DHCP Enforcer appliance sends anotification message to the client prompting it to perform an IP release andan IP renew immediately.You can assign a short lease time to the quarantine configuration. Symantecrecommends two minutes.

■ If you support two DHCP servers, you can set up a range of IP addresses thatis separate from the range of the normal network IP addresses. You can thenuse any IP addresses from the separate IP address range for the quarantine ofunauthorized clients. However, the range of IP addresses that is used forquarantine must be located in the same subnet as the normal network IPaddresses. You can assign some restricted IP addresses that the quarantineDHCP server can use. You can also use an ACL-enabled router or switch toprevent these restricted IP addresses from accessing the regular networkresources.

■ If you use one DHCP server, you must configure a user class calledSYGATE_ENF that is used for the quarantine configuration. Some of theconfiguration steps are performed on the DHCP server. Other configurationtasks are performed on the Enforcer console after you complete the installation.

Normal and quarantine DHCP server on one DHCP serverYou can use the same server for both the normal DHCP server and the quarantineDHCP server. It is recommended that you use two servers.


56

If you want to use one DHCP server as both the normal and quarantine DHCPserver, you must configure consider the following guidelines:

■ Microsoft DHCP servers do not support multiple subnets.If you use Microsoft DHCP servers, you may require two DHCP servers.

■ If you want to use only one Microsoft DHCP server, all computers must usethe same IP address subnet.

■ If you are in an environment that uses two different subnets, you must makesure that the routers can manage two subnets on a single router interface. Forexample, Cisco routers have a feature called IP secondary.See the router documentation for more information.

Failover planning for DHCP Enforcer appliancesAn enterprise can configure two DHCP Enforcer appliances in a network tocontinue operations in case one of the DHCP Enforcer appliances fails. If a DHCPEnforcer appliance fails in a network that is not configured for failover, thennetwork access at that location is automatically blocked. If a DHCP Enforcerappliance fails in a network that does not provide for failover, then users can nolonger connect to the network. This problem continues to occur until the problemwith the DHCP Enforcer appliance is corrected.

For a DHCP Enforcer appliance, failover is implemented through the DHCPEnforcer appliance itself instead of third-party switches. If the hardwareconfiguration is set up correctly, the Symantec Endpoint Protection Managerautomatically synchronizes the settings for the failover DHCP Enforcer appliances.

How failover works with DHCP Enforcer appliances in the networkThe DHCP Enforcer appliance that is operational is called the active DHCP Enforcerappliance. The backup DHCP Enforcer appliance is called the standby DHCPEnforcer appliance. The active DHCP Enforcer appliance is also referred to as theprimary DHCP Enforcer appliance. If the active DHCP Enforcer appliance fails,the standby DHCP Enforcer appliance takes over the enforcement tasks.

The sequence in which the two DHCP Enforcer appliances are started is as follows:

■ When the first DHCP Enforcer appliance is started, it runs in standby modewhile it queries the network to determine whether another DHCP Enforcerappliance runs. It sends out three queries to search for another DHCP Enforcer.Therefore it can take a few minutes to change its status to Online.

■ If it does not detect another DHCP Enforcer appliance, it becomes the activeDHCP Enforcer appliance.

57Planning for the Enforcer appliance installationFailover planning for DHCP Enforcer appliances

■ While the active DHCP Enforcer appliance runs, it broadcasts failover packetson both the internal and the external networks. It continues to broadcast thefailover packets.

■ The second DHCP Enforcer appliance is then started. It runs in standby modewhile it queries the network to determine whether another DHCP Enforcerappliance is running.

■ The second DHCP Enforcer appliance detects the active DHCP Enforcerappliance that is running and therefore remains in standby mode.

■ If the active DHCP Enforcer appliance fails, it stops to broadcast failoverpackets. The standby DHCP Enforcer appliance no longer detects an activeDHCP Enforcer appliance. It now becomes the active DHCP Enforcer appliancethat handles network connections and security at this location.

■ If you start the other DHCP Enforcer appliance, it remains the standby DHCPEnforcer appliance because it detects that another DHCP Enforcer applianceis running.

Where to place DHCP Enforcer appliances for failover in a networkwith only one or multiple VLANs

You set up a DHCP Enforcer appliance for failover by their physical location andby the configuration that you perform on the Symantec Endpoint ProtectionManager. If you use a hub that supports multiple VLANs, you can use only oneVLAN unless you integrate an 802.1q-aware switch instead of a hub.

DHCP Enforcer appliance for failover must be set up on the same network segment.A router or gateway cannot be installed between the two DHCP Enforcer appliances.A router or gateway does not forward the failover packet. The internal NICS mustboth connect to the internal network through the same switch or hub. The externalNICs must both connect to the external VPN server or access point through thesame switch or hub.

Configuring DHCP Enforcer appliances for failover at a wireless AP, dial-up RAS,or other access points is similar. The external NICs of both DHCP Enforcerappliances connect to the external network through a wireless AP or RAS server.The internal NICs connect to the internal network or the area that is protected.

Figure 2-4 shows how to set up two DHCP Enforcer appliances for failover toprotect network access at a VPN concentrator.

Planning for the Enforcer appliance installationFailover planning for DHCP Enforcer appliances

58

Figure 2-4 Placement of two DHCP Enforcer appliances


ExternalNIC

InternalNIC

DHCP Enforcerappliance

Hub/Switch

DHCP Server

Hub/Switch

Corporate Backbone

Clients

ExternalNIC

InternalNIC

FailoverDHCP Enforcerappliance

Relay Agent

Servers

Setting up DHCP Enforcer appliances for failoverYou should familiarize yourself with the concepts that are involved in DHCPEnforcer appliance failover before you set up standby DHCP Enforcer appliances.

See “How failover works with DHCP Enforcer appliances in the network”on page 57.

59Planning for the Enforcer appliance installationFailover planning for DHCP Enforcer appliances

To set up DHCP Enforcer appliances for failover

1 Place the computers in the network.

See “Where to place DHCP Enforcer appliances for failover in a network withonly one or multiple VLANs” on page 58.

2 Set up the external and internal NICs.

The external NICs on multiple DHCP Enforcer appliances must each have adifferent IP address. The internal NICs on multiple DHCP Enforcer appliancesmust each have a different IP address.

See “DHCP Enforcer appliance IP addresses” on page 54.

3 Install and start the primary DHCP Enforcer appliance.

If the primary DHCP Enforcer appliance does not locate another DHCPEnforcer, it takes the role of the active DHCP Enforcer appliance.

4 Install and start the standby DHCP Enforcer appliance.

5 Connect the standby DHCP Enforcer appliance to the same Symantec EndpointProtection Manager as the active DHCP Enforcer appliance.

If both DHCP Enforcer appliances have run for the same amount of time, thenthe one with the lower IP address becomes the primary DHCP Enforcerappliance.

Failover is enabled by default on the Symantec Endpoint Protection Manager.The Symantec Endpoint Protection Manager automatically assigns the standbyDHCP Enforcer appliance to the same Enforcer group. Therefore the settingsof the primary and standby DHCP Enforcer appliances are synchronized.

The following failover settings are enabled by default:

■ The default setting for the failover UDP port is 39999.A failover DHCP Enforcer appliance uses this port to communicate witheach other.

■ The default setting for the failover sensitivity level is High (fewer thanfive seconds).The failover sensitivity level determines how quickly the standby DHCPEnforcer appliance becomes the primary DHCP Enforcer appliance. Thefailover only occurs if the standby DHCP Enforcer appliance detects thatthe primary DHCP Enforcer appliance is no longer active.

Planning for the Enforcer appliance installationFailover planning for DHCP Enforcer appliances

60

Installation planning for a LAN Enforcer applianceSeveral types of planning information can help you implement LAN Enforcerappliances in a network.

See “Where to place LAN Enforcer appliances” on page 61.

Where to place LAN Enforcer appliancesA LAN Enforcer appliance acts as a RADIUS proxy. Administrators typically usea LAN Enforcer appliance with a RADIUS server to enforce 802.1x ExtensibleAuthentication Protocol (EAP) authentication in a corporate network. If you usea LAN Enforcer appliance in this configuration, the LAN Enforcer appliance mustbe able to communicate with the RADIUS server.

For example, you can connect a LAN Enforcer appliance to an 802.1x-aware LANswitch on an internal VLAN with a Symantec Endpoint Protection Manager,RADIUS server, and clients. A computer that does not have the client softwarecannot connect to the network. However, the client is directed to a remediationserver from which it can obtain the software that it needs to become compliant.

Figure 2-5 shows an example of where you can place a LAN Enforcer appliance inthe overall internal network configuration.

61Planning for the Enforcer appliance installationInstallation planning for a LAN Enforcer appliance

Figure 2-5 Placement of LAN Enforcer appliances

Protected servers

Clients


Remediation server

802.1x-awareLAN switchwith dot1x-enabled portsfor internal clients

Remediation VLAN

LAN Enforcerappliance(RADIUS proxy) Corporate Backbone

RADIUS server

If a switch supports dynamic VLAN switching, additional VLANs can be configuredon the 802.1x-aware switch and accessed through the LAN Enforcer appliance.The 802.1x-aware switch can dynamically put the client into a VLAN after itreceives a reply from the RADIUS server. Some 802.1x-aware switches also includea default or guest VLAN feature. If a client has no 802.1x supplicant, the802.1x-aware switch can put the client into a default VLAN.

Planning for the Enforcer appliance installationInstallation planning for a LAN Enforcer appliance

62

You can install the LAN Enforcer appliance so that you can enable EAPauthentication throughout the network with the equipment that is alreadydeployed. LAN Enforcer appliances can work with existing RADIUS Servers, 802.1xsupplicants, and 802.1x-aware switches. They perform the computer levelauthentication. It makes sure that the client complies with security policies.

For example, it checks that antivirus software has been updated with the latestsignature file updates and the required software patches. The 802.1x supplicantand the RADIUS server perform the user-level authentication. It authenticatesthe clients who try to connect to the network are the ones who they claim to be.

Alternatively, a LAN Enforcer appliance can also work in transparent mode,removing the need for a RADIUS server. In transparent mode, the client passesHost Integrity information to the 802.1x-aware switch in response to the EAPchallenge. The switch then forwards that information to the LAN Enforcer. A LANEnforcer appliance then sends authentication results back to the 802.1x-awareswitch. The information that the LAN Enforcer appliance sends is based on theHost Integrity validation results. Therefore the LAN Enforcer appliance requiresno communication with a RADIUS server.

The following configurations are available for a LAN Enforcer appliance:

■ Basic configurationThis configuration requires a RADIUS server and third-party 802.1xsupplicants. Both traditional EAP user authentication and Symantec HostIntegrity validation are performed.

■ Transparent modeThis configuration does not require a RADIUS server or the use of a third-party802.1x supplicants. Only Host Integrity validation is performed.

You can consider the following issues:

■ Do you plan to have an 802.1x supplicant installed on every computer?If you plan to have an 802.1x supplicant installed on every computer, you canuse the basic configuration.

■ Do you want to perform a user level authentication in addition to the HostIntegrity check?If you want to perform a user level authentication in addition to the HostIntegrity check, you must use the basic configuration.

■ Do you plan to use a RADIUS server in a network configuration?If you plan to use a RADIUS server in a network configuration, you can useeither the basic configuration or transparent mode. If you do not plan to usea RADIUS server in a network configuration, you must use the transparentmode.

63Planning for the Enforcer appliance installationInstallation planning for a LAN Enforcer appliance

Failover planning for LAN Enforcer appliancesIf you have installed two LAN Enforcer appliances in a network, failover is handledthrough the 802.1x-aware switch. An 802.1x-aware switch can support multipleLAN Enforcer appliances. You can easily synchronize the settings of LAN Enforcerappliances on the Symantec Endpoint Protection Manager through the use ofsynchronization settings.

If you want to synchronize the settings of one LAN Enforcer appliance with anotherLAN Enforcer appliance, you must specify the same group Enforcer name on theEnforcer console.

If you use a RADIUS server in your network, you can provide for RADIUS serverfailover by configuring the LAN Enforcer appliance to connect to multiple RADIUSservers. If all the RADIUS servers that are configured for that LAN Enforcerappliance become disabled, the switch assumes that the LAN Enforcer applianceis disabled. Therefore, the 802.1x-aware switch connects to a different LANEnforcer appliance that provides additional failover support.

Where to place LAN Enforcer appliances for failover in a networkFigure 2-6 describes how to provide failover for LAN Enforcer appliances.

Planning for the Enforcer appliance installationFailover planning for LAN Enforcer appliances

64

Figure 2-6 Placement of two LAN Enforcer appliances

Protected servers

Clients


Remediationserver

802.1x-awareLAN switchwith dot1x-enabled portsfor internalclients

Remediation VLAN

RADIUS server

LAN Enforcerappliance(RADIUS proxy)

Corporate Backbone

FailoverRADIUS server

65Planning for the Enforcer appliance installationFailover planning for LAN Enforcer appliances

Planning for the Enforcer appliance installationFailover planning for LAN Enforcer appliances

66

Upgrading and migratingEnforcer appliance images


■ About upgrading and migrating Enforcer appliance images to version 11.0.3000

■ Determining the current version of an Enforcer appliance image

■ Upgrading the Enforcer appliance image from 11.0 or 11.0.2000 to 11.0.3000

■ Migrating the Enforcer appliance image from 5.1.x to 11.0.3000

■ Reimaging an Enforcer appliance image

About upgrading and migrating Enforcer applianceimages to version 11.0.3000

You may want to determine the version of the Enforcer appliance software beforeyou plan to update, migrate, or reimage any of the Enforcer appliance software.

See “Determining the current version of an Enforcer appliance image” on page 68.

You may need to upgrade the image of an Enforcer appliance to version 11.0.3000if you want to connect to a Symantec Endpoint Protection Manager version 11.0.3.The upgrade enables you to take advantage of the new features that the SymantecNetwork Access Control Enforcer appliance version 11.0.3000 provides.

You can select any of the following methods to upgrade the Enforcer applianceimage:

■ Upgrade the current Enforcer appliance image.See “Upgrading the Enforcer appliance image from 11.0 or 11.0.2000 to11.0.3000” on page 68.

3Chapter

■ Migrate from the 5.1.x Enforcer appliance image to the 11.0.2000 Enforcerappliance image.See “Migrating the Enforcer appliance image from 5.1.x to 11.0.3000”on page 69.

■ Install a different Enforcer appliance image over a previous Enforcer applianceimage.See “Reimaging an Enforcer appliance image” on page 70.The Symantec Network Access Control Enforcer appliance version 11.0.3 workswith the following versions of the Symantec Endpoint Protection Manager:

■ Version 11.0.2

■ Version 11.0.3

Determining the current version of an Enforcerappliance image

You should determine the current version of the image that is supported on theEnforcer appliance. The latest version 11.0.3000. If you have a version thatprecedes 11.0.3000, you should try to upgrade or migrate.

For example, if you determine the version of a DHCP Enforcer appliance image,then the output may appear as follows:

Symantec Network Access Control Enforcer 6100 Series - v11.0.1

build XXXX, 2007-11-29,19:09

DHCP Enforcer mode

To determine the current version of an Enforcer appliance image

◆ Type the following command on the command-line interface of an Enforcerappliance: show version

Upgrading the Enforcer appliance image from 11.0or 11.0.2000 to 11.0.3000

You can use the following method to update an Enforcer appliance image fromversion 11.0 or 11.0.2000 to version 11.0.3000.

Upgrading and migrating Enforcer appliance imagesDetermining the current version of an Enforcer appliance image

68

To upgrade the Enforcer appliance image from 11.0 or 11.0.2000 to 11.0.3000

1 Insert the CD in the CDROM drive of the Enforcer appliance.

2 Type the following command on the console of an Enforcer appliance:

Enforcer# update

Migrating the Enforcer appliance image from5.1.x to11.0.3000

You can use any of the following methods to update an Enforcer appliance imagefrom version 5.1.x to version 11.0.3000:

■ Migrate the Enforcer appliance image from 5.1.x to 11.0.3000 with a USB(Universal Serial Bus) disk.

■ Migrate the Enforcer appliance image from 5.1.x to 11.0.3000 from a TFTPserver.

To migrate the Enforcer appliance image from 5.1.x to 11.0.3 with a USB disk

1 Copy the two update files, initrd-Enforcer.img.gpg and package list, to a USBdisk.

2 Type the following command to automatically update the Enforcer appliance:

Enforcer# update

See “Update” on page 238.

Tomigrate the Enforcer appliance image from5.1.x to 11.0.3000with a TFTP server

1 Upload the two update files, initrd-Enforcer.img.gpg and package list, to aTrivial File Transfer Protocol (TFTP) server to which an Enforcer appliancecan connect.

2 Run the following command on the console of the Enforcer appliance:

Enforcer:# update tftp://IP address of TFTP server


3 Select Y when you are prompted to launch the new image.

4 Select 1 to restart the Enforcer appliance after applying the new image.

It is not recommended that you launch the new image without restarting theEnforcer appliance.

69Upgrading and migrating Enforcer appliance imagesMigrating the Enforcer appliance image from 5.1.x to 11.0.3000

5 Log on to the Enforcer appliance.

6 See “Logging on to an Enforcer appliance” on page 82.

Reimaging an Enforcer appliance imageThe Enforcer appliance comes with reimaging software for all Enforcer appliances:Gateway, LAN, and DHCP. The reimaging software includes the hardened Linuxoperating system and the Enforcer appliance software for replacement of anEnforcer appliance image.

When you start the installation from the CD, the reimaging process erases theexisting configuration on the Enforcer appliance. New files are installed over allexisting files. Any configuration that was previously set on the Enforcer applianceis lost.

You can install a different type of Enforcer appliance image if you want to changethe type that you use. If you change the type of Enforcer appliance image, it mayinvolve the relocation of an Enforcer appliance in the corporate network.

See “Installation planning for Enforcer appliances” on page 41.

To reimage an Enforcer appliance

1 Insert the CD in the CD-ROM drive of the Enforcer appliance.

2 On the command line, type the following command:

Enforcer:# reboot

This command restarts the Enforcer appliance.

3 In the Setup menu, select Setup Symantec Enforcer from the CD.

If you miss the Setup menu, the Enforcer appliance restarts from the diskrather than the CD. To reimage, you must restart from the CD.

4 Install and configure the Enforcer appliance.

See “Installing an Enforcer appliance” on page 75.

Upgrading and migrating Enforcer appliance imagesReimaging an Enforcer appliance image

70

Installing the Enforcerappliance for the first time


■ Before you install the Enforcer appliance

■ Installing an Enforcer appliance

Before you install the Enforcer applianceThe Enforcer appliance is a hardware device that enforces network access controlto clients that try to connect to the network. If clients are in compliance withsecurity policies, they are permitted to access resources on the network.

The type of Enforcer appliance that you can implement depends on the type ofSymantec Network Access Control product that you purchased.

See your license agreement for more information.

You can deploy the Enforcer appliance that works with the Symantec EndpointProtection Manager and clients.

The Enforcer includes the following types:

■ Gateway Enforcer appliance


■ LAN Enforcer appliance

About the Gateway Enforcer appliance installationA Gateway Enforcer appliance is generally used inline as a secure policy-enforcingbridge to protect a corporate network from external intruders. Before you install

4Chapter

a Gateway Enforcer appliance, you need to think about locating it appropriatelyon the network. Gateway Enforcer appliances can be placed throughout theenterprise to ensure that all endpoints comply with the security policy.

You can use Gateway Enforcer appliances to protect servers within the company.They can ensure that only the trusted or the authenticated clients can access theservers.

Gateway Enforcer appliances typically are in use in the following networklocations:

■ VPN

■ Wireless access point (WAP)

■ Dial-up (Remote access server [RAS])

■ Ethernet (local area network [LAN]) segments

See “Where to place a Gateway Enforcer appliance” on page 42.

About the DHCP Enforcer appliance installationA DHCP Enforcer is used inline as a secure policy-enforcing bridge to protect aninternal network.

Clients that try to connect to the network send a DHCP request for a dynamic IPaddress. The switch or router (that acts as a DHCP relay client) routes the DHCPrequest. The DHCP request is sent to the DHCP Enforcer appliance, which isconfigured inline in front of the DHCP server. Before the DHCP Enforcer applianceforwards the DHCP request to the DHCP server, the DHCP Enforcer applianceverifies that clients comply with security policies.

If a client complies with security policies, the DHCP Enforcer sends the clientrequest for an IP address to the normal DHCP server.

If the client does not comply with the security policies, the DHCP Enforcerappliance connects it to the quarantine DHCP server. The quarantine DHCP serverassigns the client a quarantine network configuration.

To complete the DHCP Enforcer configuration, you must set up a remediationserver and restrict the access of the quarantined clients. Restricted clients caninteract only with the remediation server.

If high availability is required, you can install two or more DHCP Enforcerappliances to provide failover capabilities.

See “Where to place DHCP Enforcer appliances in a network” on page 52.

Installing the Enforcer appliance for the first timeBefore you install the Enforcer appliance

72

About the LAN Enforcer appliance installationThe LAN Enforcer appliance can perform host authentication and act as apseudo-RADIUS server (even without a RADIUS server). The Enforcement clientacts as an 802.1x supplicant. It responds to the switch’s Extensible AuthenticationProtocol (EAP) challenge with the Host Integrity status and policy numberinformation. The RADIUS server IP address is set to 0 in this case, and notraditional EAP user authentication takes place. The LAN Enforcer appliancechecks Host Integrity. It can allow, block, or dynamically assign a VLAN, asappropriate, based on the results of the Host Integrity check.

If you have Symantec Endpoint Protection, another configuration is also available.You can use a LAN Enforcer appliance with a RADIUS server to enforce 802.1xEAP authentication internally in a corporate network. If a LAN Enforcer applianceis used in this configuration, you need to position it so that it can communicatewith the RADIUS server.

If your switch supports dynamic VLAN switching, additional VLANs can beconfigured on the switch and accessed through the LAN Enforcer appliance. Theswitch can dynamically put the client into a VLAN that is based on the reply fromthe LAN Enforcer appliance. You may want to add VLANs for quarantine andremediation.

See “Where to place LAN Enforcer appliances” on page 61.

About the Enforcer appliance indicators and controlsThe Enforcer appliance is installed on a 1U rack-mountable chassis with supportfor static rails.

Figure 4-1 shows the controls, indicators, and connectors that are located behindthe optional bezel on the front panel.

Figure 4-1 Enforcer appliance front panel

CD-ROM drive1

Power switch2

Reset icon3

USB ports4

73Installing the Enforcer appliance for the first timeBefore you install the Enforcer appliance

Hard drive light5

Monitor6

Reserved; do not use7

Figure 4-2 shows the back panel of the system.

Figure 4-2 Enforcer appliance back panel (Failopen model shown)

Power cord connector1

Mouse connector2

Keyboard connector3

USB ports4

Serial port5

Monitor6

Reserved; do not use7

Reserved network ports; do not use8

eth0 network port9

eth1 network port10

You can use the provided serial port and the serial cable to connect to anothersystem that is hooked up to a monitor and keyboard. Alternatively, you can connecta monitor or keyboard directly. If you connect by using the serial port, the defaultbaud rate that is set on the Enforcer is 9600. You must configure the connectionon the other system to match. Connecting by the serial port is the preferredmethod. It lets you transfer files, such as debugging information, to the connectedcomputer for troubleshooting.

Table 4-1 lists the hardware specifications for the Enforcer appliance.

Installing the Enforcer appliance for the first timeBefore you install the Enforcer appliance

74

Table 4-1 Hardware specifications

DescriptionPart

521, 2.8-GHz/1 MB cache, Pentium 4 800-MHz front side busBase unit

1 GB DDR2, 533-MHz, 2x512 single-ranked DIMMsMemory

160 GB, SATA, 1-inch, 7200-RPM hard driveHard drive

Single network adapter with two ports (eth0 is internal NIC andeth1 is external NIC by default). Failopen model has four ports,two of which are not used.

Network adapters

24X, CD, 650 MB, internalCD-ROM drive

Gateway Enforcer appliance or DHCP Enforcer appliance NIC settingsThe network interface cards (NICs) on a Gateway Enforcer appliance or a DHCPEnforcer appliance is configured by default as follows:

Internal NIC

If you use the Gateway Enforcer appliance, the internal NIC mustconnect to the Symantec Endpoint Protection Manager.

eth0

External NIC

If you use the DHCP Enforcer appliance, the external NIC must connectto the Symantec Endpoint Protection Manager.

eth1

You can use the configure interface-role command if you need to change whichNIC is external and which is internal.

See “Configure interface-role” on page 251.

For the DHCP Enforcer, use this command with the manager option, to specifythe NIC that is used to connect to the Symantec Endpoint Protection Manager.

The following example shows the syntax:

configure interface-role manager eth1


Installing an Enforcer applianceBefore you start to install any of the Enforcer appliances, you should havefamiliarized yourself with the locations of the components in your network.

75Installing the Enforcer appliance for the first timeInstalling an Enforcer appliance

See “Installation planning for Enforcer appliances” on page 41.

The Symantec Network Access Control Enforcer appliance comes with aninstallation CD called CD2 that contains software for the following components:

■ Gateway Enforcer appliance

■ LAN Enforcer appliance


You select the type of Enforcer appliance that you want to choose during theinstallation process.

During the installation of an Enforcer appliance, you must have handy thefollowing information:

■ Host name that you want to assign to the Enforcer applianceThe default host name is Enforcer. You may want to change this name to makeit easier to identify each Enforcer appliance in a network.

■ IP addresses of the network interface cards (NICs) on the Enforcer appliance

■ IP address, host name, or domain ID of the domain name server (DNS) ifapplicableIf you want the Enforcer appliance to connect to a Symantec EndpointProtection Manager by using a host name, it needs to connect to a DNS server.Only DNS servers can resolve host names. You can configure the IP addressof the DNS server during the installation.However, you can use the configure DNS command to change the IP addressof a DNS server.See “Configure DNS” on page 249.

Installation of the Enforcer appliance involves the following tasks:

■ Setup of an Enforcer appliance

■ Configuration of an Enforcer appliance

To set up an Enforcer appliance

1 Unpack the Enforcer appliance.

2 Mount the Enforcer appliance in a rack, or place it on a level surface.

See the rack mounting instructions that are included with the Enforcerappliance.

3 Plug into an electrical outlet.

4 Connect the Enforcer appliance by using one of the following methods:

■ Connect another computer to the Enforcer appliance by using a serialport.

Installing the Enforcer appliance for the first timeInstalling an Enforcer appliance

76

Use a null modem cable with a DB9 connector (female). You must useterminal software, such as HyperTerminal, CRT, or NetTerm, to accessthe Enforcer console. Set your terminal software to 9600 bps, data bits 8,no parity, 1 stop bit, no flow control.Connecting through the Serial Console is the preferred method becauseit allows for file transfers from the Enforcer appliance.

■ Connect a keyboard and VGA monitor directly to the Enforcer appliance.

5 Connect the Ethernet cables to the network interface ports as follows:

Connect two Ethernet cables. One cable connects to theeth0 port (internal NIC). The other cable connects to theeth1 port (external NIC) on the rear of the Enforcerappliance.

The internal NIC connects to the protected network andthe Symantec Endpoint Protection Manager. The externalNIC connects to the endpoints.

Gateway Enforcerappliance

Connect two Ethernet cables. One cable connects to theeth0 port (internal NIC). The other cable connects to theeth1 port (external NIC) on the rear of the Enforcerappliance.

The internal NIC connects to the DHCP server; the externalNIC connects to the endpoints and the Symantec EndpointProtection Manager.

DHCP Enforcer appliance

Connect one Ethernet cable to the eth0 port on the rear ofthe Enforcer appliance. This cable connects to the internalnetwork. The internal network connects to an802.1x-enabled switch and to any additional 802.1x-enabledswitches in your network.

LAN Enforcer appliance

6 Switch on the power.

The Enforcer appliance starts.

7 Press Enter twice.

8 At the logon prompt, log in as follows:

Console Login: root

Password: symantec

The Enforcer appliance automatically logs users off after 90 seconds ofinactivity.


To configure an Enforcer appliance

1 Specify the type of Enforcer appliance as follows, responding to the promptsfrom the Enforcer:

1. Select Enforcer mode

[G] Gateway [D] DHCP [L] LAN

Where:

Gateway Enforcer applianceG

DHCP Enforcer applianceD

LAN Enforcer applianceL

2 Change the host name of the Enforcer appliance, or press Enter to leave thehost name of the Enforcer appliance unchanged.

The default or host name of the Enforcer appliance is Enforcer. The name ofthe Enforcer appliance automatically registers on the Symantec EndpointProtection Manager during the next heartbeat.

At the prompt, type the following command if you want to change the hostname of the Enforcer appliance:

2. Set the host name

Note:

1) Input new hostname or press "Enter" for no change. [Enforcer]:

hostname hostname

See “Hostname” on page 235.

where hostname is the new host name for the Enforcer appliance.

Be sure to register the host name of the Enforcer appliance on the DomainName Server itself.

3 Type the following command to confirm the new host name of the Enforcerappliance:

show hostname

4 Type the IP address of the DNS server and press Enter.


78

5 Type the new root password at the prompt by first typing the followingcommand:

password

Old password: symantec

New password: new password

You must change the root password that you used to log on to the Enforcerappliance. Remote access is not enabled until you change the password. Thenew password must be at least 9 characters long, and contain one lowercaseletter, one uppercase letter, one digit, and one symbol.

6 Type the new admin password.

7 Set the time zone by following these prompts.

Set the time zone

Current time zone is [+0000]. Change it? [Y/n]

If you click 'Y', follow the steps below:

1) Select a continent or ocean

2) Select a country

3) Select one of the time zone regions

4) Set the date and time

Enable the NTP feature [Y/n]

Set the NTP server:

Note: We set up the NTP server as an IP address

8 Set the date and time.

9 Configure the network settings and complete the installation, following theEnforcer prompts.

Enter network settings

Configure eth0:

Note: Input new settings.

IP address []:

Subnet mask []:

Set Gateway? [Y/n]

Gateway IP[]:

Apply all settings [Y/N]:


About the Enforcer appliance lockThe Enforcer appliance comes with a separate bezel that can be attached to thefront panel. It includes a key. Therefore, you can lock the Enforcer appliance foradditional security. The use of the bezel is optional. It is recommended for highestsecurity. You must place the key in a secure location.


80

Performing basic tasks onthe console of an Enforcerappliance


■ About performing basic tasks on the console of an Enforcer appliance

■ Logging on to an Enforcer appliance

■ Configuring a connection between an Enforcer appliance and a SymantecEndpoint Protection Manager

■ Checking the communication status of an Enforcer appliance on the Enforcerconsole

■ Remote access to an Enforcer appliance

■ Enforcer reports and debug logs

About performing basic tasks on the console of anEnforcer appliance

You must have already configured the following parameters during the installationof the Enforcer appliance:

■ Host name of the Enforcer appliance

■ Group name of the Enforcer appliance group of which a particular Enforcerappliance is a member

■ IP addresses of the internal and external network interface cards (NICs)

5Chapter

■ IP address of the DNS server, if applicable

■ IP address of the NTP server, if applicable

However, you must still configure a connection between an Enforcer applianceand a Symantec Endpoint Protection Manager. You execute the spm commandon the console of the Enforcer appliance to configure this connection. You cannotproceed to use an Enforcer appliance unless you complete this task.

See “Configuring a connection between an Enforcer appliance and a SymantecEndpoint Protection Manager” on page 83.

Although you typically administer an Enforcer appliance on the console of theSymantec Endpoint Protection Manager after you complete the initial installationand configuration of an Enforcer appliance, you may still need to perform manyof the administrative tasks on the console of an Enforcer appliance. If youadminister multiple Enforcer appliances, it is convenient to administer them allfrom one centralized location.

All Enforcer appliances also have a command-line interface (CLI) from which youcan execute commands to change any number of parameters.

See “About the Enforcer appliance CLI command hierarchy” on page 207.

Logging on to an Enforcer applianceWhen you turn on or restart the Enforcer appliance, the logon prompt for theEnforcer appliance console appears:

Enforcer Login

The following levels of access are available:

Access to all commandsSuperuser

Access only to theclear, exit, help, andshow commands for eachlevel of the command hierarchy

Normal

Note: The Enforcer appliance automatically logs users off after 90 seconds ofinactivity.

Performing basic tasks on the console of an Enforcer applianceLogging on to an Enforcer appliance

82

To log on to an Enforcer appliance with access to all commands

1 On the command line, log on to an Enforcer appliance with access to allcommands by typing the following command:

root

2 Type the password that you created during the initial installation.

The default password is symantec

The console command prompt for root is Enforcer#

To log on to an Enforcer appliance with limited access to commands

1 If you want to log on to an Enforcer appliance with limited access tocommands, type the following command on the command line:

admin

2 Type the password on the command line.

The default password is symantec

The console command prompt for admin is Enforcer$

Configuring a connection between an Enforcerappliance and a Symantec Endpoint ProtectionManager

You must establish communication between the Enforcer appliance and theSymantec Endpoint Protection Manager on the Enforcer console. You must havealso completed the installation of the Enforcer appliance and the configurationof the internal and external NICs on the Enforcer appliance.


If you want to establish communication between an Enforcer appliance and theSymantec Endpoint Protection Manager on an Enforcer console, you need to havethe following information on hand:

■ IP address of the Symantec Endpoint Protection ManagerCheck with the administrator of the server on which the Symantec EndpointProtection Manager has been installed to obtain the IP address.

■ Enforcer group name to which you want to assign the Enforcer applianceAfter you finish configuring the Enforcer group name to which you want toassign the Enforcer appliance on the console of an Enforcer appliance, the

83Performing basic tasks on the console of an Enforcer applianceConfiguring a connection between an Enforcer appliance and a Symantec Endpoint Protection Manager

Enforcer group name is automatically registered on the Symantec EndpointProtection Manager.

■ Port number on the Symantec Endpoint Protection Manager that is used tocommunicate with the Enforcer applianceThe default port number is 80.

■ The encrypted password that was created during the initial installation of theSymantec Endpoint Protection Manager

To configure a connection between an Enforcer appliance and a Symantec EndpointProtection Manager

1 At the command line on the console of an Enforcer appliance, type configure.

2 Type

spm ip ipaddress group Enforcer group name http port number key

encrypted password

See “Configure SPM” on page 253.

You can use the following example as a guideline:

spm ip 192.168.0.64 group CorpAppliance

http 80 key symantec

This example configures the Enforcer appliance to communicate with theSymantec Endpoint Protection Manager that has an IP address 192.168.0.64in the CorpAppliance group. It uses HTTP protocol on port 80 with anencrypted password or preshared secret of symantec.

Performing basic tasks on the console of an Enforcer applianceConfiguring a connection between an Enforcer appliance and a Symantec Endpoint Protection Manager

84

3 Check the communication status of Enforcer appliance and the SymantecEndpoint Protection Manager.

See “Checking the communication status of an Enforcer appliance on theEnforcer console” on page 85.

4 Configure, deploy, and install or download client software if you have notalready done so.

See the Installation Guide for Symantec Endpoint Protection and SymantecNetworkAccessControl for more information about configuration, deployment,and installation of a Symantec Endpoint Protection or a Symantec NetworkAccess Control client, also known as a managed client.

If you want guests—also known as unmanaged client computers—to be ableto automatically download Symantec Network Access Control On-DemandClients on Windows and Macintosh platforms, you need to configure a Gatewayor a DHCP Enforcer to manage the automatic downloading process.

See “Enabling Symantec Network Access Control On-Demand clients totemporarily connect to a network ” on page 197.

Checking the communication status of an Enforcerappliance on the Enforcer console

You can check the communication status of an Enforcer appliance from theEnforcer console.

85Performing basic tasks on the console of an Enforcer applianceChecking the communication status of an Enforcer appliance on the Enforcer console

To check the communication status of anEnforcer appliance on theEnforcer console

1 Log on to the Enforcer console if you are not already logged on.

See “Logging on to an Enforcer appliance” on page 82.

2 Type the following command: show status

You can view information about the current connection status.

The following example indicates that the Enforcer appliance is online andconnected to a Symantec Endpoint Protection Manager with an IP addressof 192.168.0.1 and communication port 80:

Enforcer#: show status

Enforcer Status: ONLINE(ACTIVE)

Policy Manager Connected: YES

Policy Manager: 192.168.0.1 HTTP 80

Packets Received: 3659

Packets Transmitted: 3615

Packet Receive Failed: 0

Packet Transfer Failed: 0

Enforcer Health: EXCELLENT

Enforcer Uptime: 10 days 01:10:55

Policy ID: 24/12/2007 21:31:55

Remote access to an Enforcer applianceTo securely communicate with the Enforcer for command-line access, use one ofthe following methods:

■ Networked KVM switch or similar device

■ SSH client which supports SSH v2 Terminal console server

■ Serial cable

Enforcer reports and debug logsYou can view the Enforcer reports and the debug logs on the Symantec EndpointProtection Manager Console as well as on the Enforcer console.

See “About Enforcer reports” on page 407.

See “About Enforcer logs” on page 408.

Performing basic tasks on the console of an Enforcer applianceRemote access to an Enforcer appliance

86

Configuring the SymantecGateway Enforcer applianceon the Symantec EndpointProtection ManagerConsole


■ About configuring the Symantec Gateway Enforcer appliance on the SymantecEndpoint Protection Manager Console

■ Changing Gateway Enforcer appliance configuration settings on a managementserver

■ Using general settings

■ Using authentication settings

■ Authentication range settings

■ Using advanced Gateway Enforcer appliance settings

6Chapter

About configuring the Symantec Gateway Enforcerappliance on the Symantec Endpoint ProtectionManager Console

You can add or edit the configuration settings for the Gateway Enforcer appliancein the Symantec Endpoint Protection Manager Console.

Before you can proceed, you must complete the following tasks:

■ Install the software for the Symantec Endpoint Protection Manager on acomputer.See the Installation Guide for Symantec Endpoint Protection and SymantecNetwork Access Control.The computer on which the Symantec Endpoint Protection Manager softwareis installed is also referred to as the management server.

■ Connect the Symantec Gateway Enforcer appliance to the network.See “To set up an Enforcer appliance” on page 76.

■ Configure the Symantec Gateway Enforcer appliance on the local GatewayEnforcer console during the installation.See “To configure an Enforcer appliance” on page 78.

After you finish these tasks, you can specify additional configuration settings forthe Gateway Enforcer appliance on a management server.

When you install a Gateway Enforcer appliance, a number of default settings andports are automatically set up. The default settings for the Gateway Enforcerappliance on the Symantec Protection Manager allow all clients to connect to thenetwork if the client passes the Host Integrity check. The Gateway Enforcerappliance acts as a bridge. Therefore you can complete the process of setting upthe Gateway Enforcer appliance and deploying clients without blocking access tothe network.

However, you need to change the default settings on the Protection Manager inorder to limit which clients are allowed access without authentication. Optionally,there are other Enforcer default settings for the Gateway Enforcer appliance thatyou may want to customize before start enforcement.

Changing Gateway Enforcer appliance configurationsettings on a management server

You can change the Gateway Enforcer appliance configuration settings on amanagement server. The configuration settings are automatically downloaded

Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleAbout configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager Console

88

from the management server to the Gateway Enforcer appliance during the nextheartbeat.

To change Gateway Enforcer appliance configuration settings in the SymantecEndpoint Protection Manager Console

1 In the Symantec Endpoint Protection Manager Console, click Admin.

2 In the Admin page, click Servers.

3 In the Admin page, under View Servers, select the group of Enforcers of whichthe Gateway Enforcer appliance is a member.

The Enforcer group must include the Gateway Enforcer appliance for whichthe configuration settings must be changed.

4 In the Admin page, under View Servers, select the Gateway Enforcer appliancefor which the configuration settings must be changed.

89Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleChanging Gateway Enforcer appliance configuration settings on a management server

5 In the Admin page, under Tasks, click Edit Group Properties.

6 In the Settings dialog box, change any of the configuration settings.

The Gateway Enforcer Settings dialog box provides the following categoriesof configuration settings:

Settings for the Enforcer group description and managementserver list.

See “Using general settings” on page 91.

General

Settings for a variety of parameters that affect the clientauthentication process.

If a matching address is still not found, the GatewayEnforcer appliance begins the authentication session andsends the challenge packet.

See “Using authentication settings” on page 94.

Authentication

Settings that specify an individual IP address for a client orIP ranges for clients who need to be authenticated. You canalso specify an individual IP address or IP ranges for theclients that are allowed to connect to a network withoutauthentication.

See “Authentication range settings” on page 107.

Auth Range

Settings for authentication timeout parameters and GatewayEnforcer appliance message timeouts.

Settings for MAC addresses for the trusted hosts that theGateway Enforcer appliance allows to connect withoutauthentication (optional).

Settings for DNS Spoofing and Local Authentication.

Settings for protocols to be allowed without blocking clients.

See “Using advanced Gateway Enforcer appliance settings”on page 116.

Advanced

Settings for enabling logging of Server logs, Client Activitylogs, and specifying log file parameters.



See “Configuring Enforcer log settings” on page 411.

Log Settings

Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleChanging Gateway Enforcer appliance configuration settings on a management server

90

Using general settingsYou can add or edit the description of a Gateway Enforcer appliance or a GatewayEnforcer appliance group in the Symantec Endpoint Protection Manager Console.

See “Adding or editing the description of a Gateway Enforcer appliance group”on page 91.

See “Adding or editing the description of a Gateway Enforcer appliance”on page 92.

You cannot add or edit the name of a Gateway Enforcer appliance group in theSymantec Endpoint Protection Manager Console. You cannot add or edit the IPaddress or host name of a Gateway Enforcer appliance in the Symantec EndpointProtection Manager Console. Instead, you must perform these tasks on the Enforcerconsole.

You can add or edit the IP address or host name of a Gateway Enforcer appliancein a management server list.

See “Adding or editing the IP address or host name of a Gateway Enforcerappliance” on page 92.

You can also add or edit the IP address or host name of a Symantec EndpointProtection Manager in a management server list.

See “Establishing communication between a Gateway Enforcer appliance and aSymantec Endpoint Protection Manager through a management server list”on page 93.

Adding or editing the description of a Gateway Enforcer appliancegroup

You can add or edit the description of an Enforcer group of which a SymantecGateway Enforcer appliance is a member. You can perform this task on theSymantec Endpoint Protection Manager Console instead of the Enforcer console.

To add or edit the description of a Gateway Enforcer appliance group



3 In the Admin page, under View Servers, select and expand the GatewayEnforcer appliance group whose description you want to add or edit.


91Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing general settings

5 In the Settings dialog box, on the Basic Settings tab, add or edit a descriptionfor the Gateway Enforcer appliance group in the Description field.

6 Click OK.

Adding or editing the description of a Gateway Enforcer applianceYou can add or edit the description of a Gateway Enforcer appliance. You canperform this task on the Symantec Endpoint Protection Manager Console insteadof the Enforcer console. After you complete this task, the description appears inDescription field of the Management Server pane.

To add or edit the description of a Gateway Enforcer appliance



3 In the Admin page, under View Servers, select and expand the GatewayEnforcer appliance group whose description you want to add or edit.

4 In the Admin page, under View Servers, select the Gateway Enforcer appliancewhose description you want to add or edit.

5 In the Admin page, under Tasks, click Edit Enforcer Properties.

6 In the Enforcer Properties dialog box, add or edit a description for the GatewayEnforcer appliance in the Description field.

7 Click OK.

Adding or editing the IP address or host name of a Gateway Enforcerappliance

You can change the IP address or host name of a Gateway Enforcer appliance onthe Gateway Enforcer console only during the installation. If you want to changethe IP address or host name of a Gateway Enforcer appliance at a later time, youcan do so on a Gateway Enforcer console.

See “To set up an Enforcer appliance” on page 76.

See “Configure Interface” on page 250.


Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing general settings

92

Establishing communication between a Gateway Enforcer applianceand a Symantec Endpoint Protection Manager through a managementserver list

Gateway Enforcer appliances must be able to connect to servers on which theSymantec Endpoint Protection Manager is installed. The Symantec EndpointProtection Manager includes a file that helps manage the traffic between clients,Symantec Endpoint Protection Managers, and optional Enforcers such as a GatewayEnforcer appliance.

This file is called a management server list. The management server list specifiesto which Symantec Endpoint Protection Manager server a Gateway Enforcerconnects. It also specifies to which Symantec Endpoint Protection server a GatewayEnforcer connects in case of a management server's failure.

A default management server list is automatically created for each site duringthe initial installation. All available Symantec Endpoint Protection Managers atthat site are automatically added to the default management server list.

A default management server list includes the management server's IP addressesor host names to which Gateway Enforcer appliances can connect after the initialinstallation. You may want to create a custom management server list before youdeploy any Gateway Enforcer appliances. If you create a custom managementserver list, you can specify the priority in which a Gateway Enforcer appliancecan connect to management servers.

If an administrator has created multiple management server lists, you can selectthe specific management server list that includes the IP addresses or host namesof those management servers to which you want the Gateway Enforcer applianceto connect. If there is only one management server at a site, then you can selectthe default management server list.

See the Administration Guide for Symantec Endpoint Protection and SymantecNetwork Access Control for more information on how to customize managementserver lists.

To establish communication between a Gateway Enforcer between a SymantecEndpoint Protection Manager



3 In the Admin page, under View Servers, select and expand the group ofEnforcers.

The Enforcer group must include the Gateway Enforcer appliance for whichyou want to change the IP address or host name in a management server list.

93Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing general settings


5 In the Settings dialog box, on the Basic Settings tab, under Communication,select the management server list that you want this Gateway Enforcerappliance to use.

6 In the Settings dialog box, on the Basic Settings tab, under Communication,click Preview.

You can view the IP addresses and host names of all available managementservers, as well as the priorities that have been assigned to them.

7 In the Management Server List dialog box, click Close.

8 In the Settings dialog box, click OK.

Using authentication settingsYou can specify a number of authentication settings for a Gateway Enforcerappliance authentication session. When you apply these changes, they areautomatically sent to the selected Gateway Enforcer appliance during the nextheartbeat.

About using authentication settingsYou may want to implement a number of authentication settings to further securethe network.

Table 6-1 provides more information about the options on the Authenticationtab.

Table 6-1 Authentication configuration settings for a Gateway Enforcerappliance

DescriptionOption

The maximum number of challenge packets that theGateway Enforcer appliance sends in each authenticationsession.

The default number is 10 packets. The range is 2 through100 packets.

See “Specifying the maximum number of challenge packetsduring an authentication session” on page 99.

Maximum number of packetsper authentication session

Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing authentication settings

94

Table 6-1 Authentication configuration settings for a Gateway Enforcerappliance (continued)

DescriptionOption

The time in seconds between each challenge packet that theEnforcer sends.

The default value is 3 seconds. The range is 3 through 10.

See “Specifying the frequency of challenge packets to besent to clients” on page 100.

Time between packets inauthentication session(seconds)

The amount of time in seconds for which a client is blockedafter it fails authentication.

The default setting is 30 seconds. The range is 10 through300 seconds.

See “Specifying the time period for which a client is blockedafter it fails authentication” on page 101.

Time rejected client will beblocked (seconds)

The amount of time in seconds for which a client is allowedto retain its network connection without reauthentication.

The default setting is 30 seconds. The range is 10 through300 seconds.

See “Specifying the time period for which a client is allowedto retain its network connection without reauthentication”on page 101.

Time authenticated clientwill be allowed (seconds)

If this option is enabled, the Gateway Enforcer applianceauthenticates all users by checking that they are running aclient. The Gateway Enforcer appliance also checks if theclient passed the Host Integrity check. If the client passesthe Host Integrity check, the Gateway Enforcer appliancethen logs the results. It then forwards the Gateway requestto receive a normal rather than a quarantine networkconfiguration, whether the checks pass or fail.

The default setting is not enabled.

See “Allowing all clients with continued logging ofnon-authenticated clients” on page 102.

Allow all clients, butcontinue to log which clientsare not authenticated

95Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing authentication settings


DescriptionOption

If this option is enabled, the Gateway Enforcer checks forthe operating system of the client. The Gateway Enforcerappliance then allows all clients that do not run theWindows operating systems to receive a normal networkconfiguration without being authenticated. If this option isnot enabled, the clients receive a quarantine networkconfiguration.


See “Allowing non-Windows clients to connect to a networkwithout authentication” on page 103.

Allow all clients withnon-Windows operatingsystems

If this option is enabled, the Gateway Enforcer applianceverifies that the client has received the latest securitypolicies from the management server. If the policy serialnumber is not the latest, the Gateway Enforcer notifies theclient to update its security policy. The client then forwardsthe Gateway request to receive a quarantine networkconfiguration.

If this option is not enabled and if the Host Integrity checkis successful, the Gateway Enforcer appliance forwards theGateway request to receive a normal network configuration.The Gateway Enforcer forwards the request even if the clientdoes not have the latest security policy.


See “Having the Gateway Enforcer appliance check thepolicy serial number on a client” on page 104.

Check the Policy SerialNumber on Client beforeallowing Client into network

If this option is enabled, a message appears to users onWindows computers that try to connect to an enterprisenetwork without running a client. The default message isset to display only one time. The message tells the usersthat they are blocked from accessing the network becausea client is not running and tells them to install it. To editthe message or to change how often it is displayed, you canclick Message. The maximum message length is 128characters.

The default setting is enabled.

See “Sending a message from a Gateway Enforcer applianceto a client about non-compliance” on page 105.

Enable pop-up message onclient if Client is not running


96


DescriptionOption

If this option is enabled, the Gateway Enforcer can redirectclients to a remediation Web site.

If this option is enabled, the Gateway Enforcer applianceredirects HTTP requests to an internal Web server if theclient does not run.

This option cannot be enabled without having specified aURL.

The default setting is enabled, with the valuehttp://localhost.

See “Redirecting HTTP requests to a Web page” on page 106.

Enable HTTP redirect onclient if Client is not running

You can specify a URL of up to 255 characters when youredirect clients to a remediation Web site.

The default setting for the redirect URL is http://localhost.


HTTP redirect URL

You can specify a port number other than 80 when youredirect clients to a remediation Web site.

The default setting for the Web server is port 80.


HTTP redirect port

About authentication sessions on a Gateway Enforcer applianceWhen a client tries to access the internal network, the Gateway Enforcerestablishes an authentication session with it. An authentication session is a setof challenge packets that are sent from a Gateway Enforcer appliance to a client.

During an authentication session, the Gateway Enforcer appliance sends achallenge packet to the client at a specified frequency. The default setting is everythree seconds. It keeps sending packets until it receives a response from the client,or until it has sent out the maximum number of packets specified. The defaultnumber is 10 packages.

If the client responds and passes authentication, the Gateway Enforcer applianceallows it access to the internal network for a specified number of seconds. Thedefault is 30 seconds. The Gateway Enforcer appliance starts a new authenticationsession during which the client must respond to retain the connection to the


internal network. The Gateway Enforcer appliance disconnects the clients thatdo not respond or are rejected because they fail authentication.

If the client does not respond or fails authentication, the Gateway Enforcerappliance blocks it for a specified number of seconds. The default is 30 seconds.If another client tries to log on using that same IP address, it has to bereauthenticated.

You can configure the authentication session for each Gateway Enforcer applianceon the management server.

About client authentication on a Gateway Enforcer applianceThe Gateway Enforcer appliance authenticates remote clients before allowingaccess to the network. Client authentication in the Gateway Enforcer performsthe following functions:

■ Determines whether to authenticate the client or allow it withoutauthenticationYou can specify individual clients or ranges of IP addresses to trust or toauthenticate on the Auth Range tab.

■ Carries out the authentication sessionYou configure the settings for the authentication session on the Authenticationtab.

Each Gateway Enforcer maintains the following lists of trusted IP addresses thatare allowed to connect to the network through the Gateway Enforcer:

■ A static listThe trusted external IP addresses that are configured for the Enforcer on theAuth Range tab.

■ A dynamic listThe additional trusted IP addresses that are added and dropped as clients areauthenticated, allowed to connect to the network, and finally disconnected.

When traffic arrives from a new client, the Gateway Enforcer appliance determineswhether this client is included in the list of trusted client IP addresses. If the clienthas a trusted IP address, it is allowed on the network with no furtherauthentication.

If the client does not have a trusted IP address, the Gateway Enforcer appliancethen checks to see if the trusted IP address is within the client IP range for theclients that should be authenticated. If the client's IP address is within the clientIP range, the Gateway Enforcer appliance begins an authentication session.


98

During the authentication session, the client sends its unique ID number, theresults of the Host Integrity check, and its Policy Serial Number. The Policy SerialNumber identifies if the client security policies are up to date.

The Gateway Enforcer appliance checks the results. It can optionally check thePolicy Serial Number. If the results are valid, the Gateway Enforcer appliancegives the client an authenticated status and allows network access to the client.If the results are not valid, the Gateway Enforcer appliance blocks the client fromconnecting to the network.

When a client is authenticated, that client’s IP address is added to the dynamiclist with a timer. The default timer interval is 30 seconds. After the timer intervalhas elapsed, the Gateway Enforcer appliance begins a new authentication sessionwith the client. If the client does not respond or fails authentication, the client’sIP address is deleted from the list. The IP address is also blocked for a specifiedinterval. The default setting is 30 seconds. When another client tries to log on byusing that same IP address, the client has to be reauthenticated.

Specifying the maximum number of challenge packets during anauthentication session

During the authentication session, the Gateway Enforcer appliance sends achallenge packet to the client at a specified frequency.

The Gateway Enforcer appliance continues to send packets until the followingconditions are met:

■ The Gateway Enforcer appliance receives a response from the client.

■ The Gateway Enforcer appliance has sent the specified maximum number ofpackets.

The default setting is 10 packets for the maximum number of challenge packetsfor an authentication session. The range is from 2 through 100 packets.

To specify the maximum number of challenge packets during an authenticationsession




The Enforcer group must include the Gateway Enforcer appliance for whichyou want to specify the maximum number of challenge packets during anauthentication session.



5 In the Gateway Settings dialog box, on the Authentication tab, underAuthentication Parameters, type the maximum number of challenge packetsthat you want to allow during an authentication session in the Maximumnumber of packets per authentication session field.

The default setting is 10 seconds. The range is from 2 through 100 packets.

6 In the Gateway Settings dialog box, on the Authentication tab, click OK.

Specifying the frequency of challenge packets to be sent to clientsDuring the authentication session, the Gateway Enforcer appliance sends achallenge packet to the client at a specified frequency.

The Gateway Enforcer appliance continues to send packets until the followingconditions are met:

■ The Gateway Enforcer appliance receives a response from the client

■ The Gateway Enforcer appliance has sent the specified maximum number ofpackets.

The default setting is every 3 seconds. The range is 3 through 10 seconds.

To specify the frequency of challenge packets to be sent to clients




The Enforcer group must include the Gateway Enforcer appliance for whichyou want to specify the frequency of challenge packets to be sent to clients.


5 In the Settings dialog box, on the Authentication tab, under AuthenticationParameters, type the maximum number of challenge packets that you wantthe Gateway Enforcer appliance to keep sending to a client during anauthentication session in the Time between packets in authentication sessionfield.

The default setting is 3 seconds. The range is from 3 through 10 seconds.

6 In the Settings dialog box, on the Authentication tab, click OK.


100

Specifying the time period for which a client is blocked after it failsauthentication

You can specify the amount of time for which a client is blocked after it failsauthentication.

The default setting is 30 seconds. The range is 10 through 300 seconds.

To specify the time period for which a client is blocked after it fails authentication




The Enforcer group must include the Gateway Enforcer appliance for whichyou want to specify the amount of time that a client is blocked after it failsauthentication.


5 In the Settings dialog box, on the Authentication tab, under AuthenticationParameters, type the number of seconds for the amount of time for which aclient is blocked after it fails authentication in the Time rejected client willbe blocked (seconds) field.


6 Click OK.

Specifying the time period for which a client is allowed to retain itsnetwork connection without reauthentication

You can specify the amount of time in seconds for which a client is allowed toretain its network connection without reauthentication.


To specify the time period for which a client is allowed to retain its networkconnection without reauthentication





The Enforcer group must include the Gateway Enforcer appliance for whichyou want to specify the amount of time that a client is blocked after it failsauthentication.


5 In the Settings dialog box, on the Authentication tab, under AuthenticationParameters, type the number of seconds for which a client is allowed to retainits network connection without reauthentication in the Timeauthenticatedclient will be allowed (seconds) field.


6 Click OK.

Allowing all clients with continued logging of non-authenticated clientsIt can take some time to deploy all the client software. You may want to configurethe Gateway Enforcer appliance to allow all clients to connect to the network untilyou have finished distributing the client package to all users. A Gateway Enforcerappliance blocks all clients that do not run the client. Because the client does notrun on non-Windows operating systems such as Linux or Solaris, the GatewayEnforcer appliance blocks these clients. You have the option of allowing allnon-Windows clients to connect to the network.

If a client is not authenticated with this setting, the Gateway Enforcer appliancedetects the operating system type. Therefore Windows clients are blocked andnon-Windows clients are permitted to access the network.


Use the following guidelines when you apply the configuration settings:

■ This setting should be a temporary measure because it makes the network lesssecure.

■ While this setting is in effect, you can review Enforcer logs. You can learnabout the types of clients that try to connect to the network at that location.For example, you can review the Client Activity Log to see if any of the clientsdo not have the client software installed. You can then make sure that theclient software is installed on those clients before you disable this option.

To allow all clients with continued logging of non-authenticated clients




102


The Enforcer group must include the Gateway Enforcer appliance for whichyou want to allow all clients while continuing the logging of non-authenticatedclients.


5 In the Settings dialog box, on the Authentication tab, check Allowallclients,but continue to log which clients are not authenticated.



Allowing non-Windows clients to connect to a network withoutauthentication

The Gateway Enforcer appliance cannot authenticate a client that is running anon-Windows operating system. Therefore non-Windows clients cannot connectto the network unless you specifically allow them to connect to the networkwithout authentication.


You can use one of the following methods to enable the clients that support anon-Windows platform to connect to the network:

■ Specify each non-Windows client as a trusted host.

■ Allow all clients with non-Windows operating systems.

The Gateway Enforcer appliance detects the operating system of the client andauthenticates Windows clients. However, it does not allow non-Windows clientsto connect to the Gateway Enforcer appliance without authentication.

If you need to have non-Windows clients connect to the network, then you mustconfigure additional settings on the Symantec Endpoint Protection ManagerConsole.

See “Requirements for allowing non-Windows clients without authentication”on page 48.

To allow non-Windows clients to connect to a network without authentication





The Enforcer group must include the Gateway Enforcer appliance for whichyou want to allow all non-Windows clients to connect to a network.


5 In the Settings dialog box, on the Authentication tab, check Allowall clientswith non-Windows operating systems.


6 Click OK.

Having the Gateway Enforcer appliance check the policy serial numberon a client

The Symantec Endpoint Protection Manager updates a client’s Policy SerialNumber every time that the client's security policy changes. When a client connectsto the Symantec Endpoint Protection Manager, it receives the latest securitypolicies and the latest Policy Serial Number.

When a client tries to connect to the network through the Gateway Enforcerappliance, the Gateway Enforcer appliance retrieves the Policy Serial Numberfrom the Symantec Endpoint Protection Manager. The Gateway Enforcer appliancethen compares the Policy Serial Number with the one that it receives from theclient. If the Policy Serial Numbers match, the Gateway Enforcer appliance hasvalidated that the client is running an up-to-date security policy.

The default value for this setting is not enabled.

The following guidelines apply:

■ If the Check the Policy Serial Number on Client before allowing Client intonetwork option is checked, a client must have the latest security policy beforeit can connect to the network through the Gateway Enforcer appliance. If theclient does not have the latest security policy, the client is notified to downloadthe latest policy. The Gateway Enforcer appliance then forwards its Gatewayrequest to receive a quarantine network configuration.

■ If the Check the Policy Serial Number on Client before allowing Client intonetwork option is not checked and the Host Integrity check is successful, aclient can connect to the network. The client can connect through the GatewayEnforcer appliance even if its security policy is not up-to-date.


104

To have the Gateway Enforcer appliance check the policy serial number on a client



3 In the Admin page, under View Servers, select and expand the group ofGateway Enforcer appliances.

The Enforcer group must include the Gateway Enforcer appliance that checksthe Policy Serial Number on a client.

4 In the Settings dialog box, on the Authentication tab, check CheckthePolicySerial Number on the Client before allowing a Client into the network.

5 Click OK.

Sending a message from a Gateway Enforcer appliance to a client aboutnon-compliance

You can send a Windows pop-up message to inform an end user that they cannotconnect to the network. The message typically tells the end user that a clientcannot connect to the network because it does not run the Symantec NetworkAccess Control client.

Most administrators type a brief statement of the need to run the SymantecEndpoint Protection client or the Symantec Network Access Control client. Themessage may include information about a download site where end users candownload the required client software. You can also provide a contact telephonenumber and other relevant information.

This setting is enabled by default. It applies only to clients that do not run theSymantec Endpoint Protection client or the Symantec Network Access Controlclient.

As soon as you complete this task, the pop-up message appears on the clientprovided the Windows Messenger service is running on the client.

To send a message from a Gateway Enforcer appliance to a client aboutnon-compliance





5 In the Settings dialog box, on the Authentication tab, check Enable pop-upmessage on client if Client is not running.


6 Click Message.

7 In the Pop-up Message Settings dialog box, select how often you want themessage to appear on a client from the Following message will pop-up list.

You can select any of the following time periods:

■ OnceThe default value is Once.

■ Every 30 seconds

■ Every minute

■ Every 2 minutes

■ Every 5 minutes

■ Every 10 minutes

8 Type the message that you want to appear in the text box.

The maximum number of characters is 125. This number includes spaces andpunctuation.

The default message is:

You are blocked from accessing the network because you

do not have the Symantec Client running. You will need to

install it.

9 Click OK.


Redirecting HTTP requests to a Web pageThe Gateway Enforcer appliance has an option to redirect HTTP requests to aninternal Web server if the client tries to access an internal Web site through abrowser and a client is not running on the client. If you do not specify a URL, theGateway Enforcer appliance pop-up message appears as the HTML body for thefirst HTML page. You may want to connect users to a Web page that you set up.Clients can download Remediation software from this Web site. The GatewayEnforcer appliance can redirect the HTTP GET request to a URL that you specify.

This setting is enabled by default.

For example, you can redirect a request to a Web server from which the client candownload the client software, patches, or up to date versions of applications.


106

To redirect HTTP requests to a Web page



3 In the Admin page, under View Servers, select and expand the group ofGateway Enforcer appliances.


5 In the Gateway Settings dialog box, on the Authentication tab, check CheckHTTP redirect on client if the client is not running.

6 Type the URL in the HTTP redirect URL field.

The host of the redirect URL must either be the Symantec Endpoint ProtectionManager or an IP address that is listed as part of the internal trusted IP range.

The URL can have as many as 255 characters.

If you want to specify a name of a Web server, you must also enable Allow allDNS request packets on the Advanced tab.

If you leave the URL field empty and then click OK, the following messageappears:

The HTTP redirect URL must be a valid URL.

It also uses the Gateway Enforcer pop-up message as the HTML body for thefirst HTML page sent back to the client.

7 In the Gateway Settings dialog box, on the Authentication tab, click OK.

Authentication range settingsYou can configure the following settings:

■ Client IP addresses that the Gateway Enforcer appliance authenticate

■ External IP addresses that the Gateway Enforcer appliance does notauthenticate

■ Internal IP address to which the Gateway Enforcer allows access

After you apply the settings, the changes are sent to the selected Gateway Enforcerappliance during the next heartbeat. Keep in mind the following information:

■ The option to Only authenticate clients with these IP addresses is selected bydefault. If you leave this option selected and do not specify any IP addressesto authenticate, the Gateway Enforcer appliance acts as a network bridge andallows all clients access.

107Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleAuthentication range settings

■ For Trusted External IP Range addresses, you should add the IP address of thecorporate VPN server, as well as any other IP addresses that are allowed tohave access to the corporate network without running a client. You may alsowant to include the devices that normally have access to the network and arerunning an operating system other than Windows.

■ For Trusted Internal IP Range addresses, you may need to specify addresses,such as an update server, a file server containing antivirus signature files, aserver that is used for remediation, or a DNS or WINS server that is requiredto resolve domain or host names.

■ If you specify that the Gateway Enforcer appliance verifies that the clientprofile is up-to-date, clients may need to connect to the Symantec EndpointProtection Manager to download the latest security policies. If you use thisoption when you refer to the Symantec Endpoint Protection Manager by DNSor host name, you must add the DNS or WINS server’s IP address to the trustedinternal IP list.

Client IP ranges compared to trusted external IP addressesThe Client IP Range is similar to what is called a Black List. You can specify theclient IP addresses that tell the Gateway Enforcer appliance to only check specificIP addresses to see if they are running the client and meet required securitypolicies. If a client is not on the Client IP list, then it functions as if it had beenassigned a Trusted IP address.

In contrast to the Client IP Range, Trusted External IP addresses are similar towhat is called a White List. If you check Assigning Trusted External IP addresses,the Gateway Enforcer appliance validates the client that tries to connect from theexternal side except clients with Trusted External IP Addresses. This process isthe opposite of Client IP Range, which tells the Gateway Enforcer appliance toonly validate the clients in the Client IP Range.

When to use client IP rangesClient IP Range allows administrators to specify a range of IP addresses thatrepresent the computers the Gateway Enforcer appliance must authenticate.Computers with addresses outside the Client IP range are allowed to pass throughthe Gateway Enforcer appliance without requiring the client software or otherauthentication.

The reasons for using Client IP Ranges include:

■ Allowing network access to external Web sites

■ Authenticating a subset of clients

Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleAuthentication range settings

108

Allow network access to external Web sitesOne reason for using Client IP Ranges is to allow network access to external Websites from within your internal network. If an organization has computers on thecorporate network that go out through the Gateway Enforcer appliance to accessWeb sites on the Internet, such as Symantec or Yahoo, the internal clients canquery the Internet. However, the Gateway Enforcer appliance tries to authenticatethe Web sites trying to respond to the client request.

Therefore internal clients connecting to the Internet through the Gateway Enforcerappliance are unable to access the Internet unless you configure the Client IPRange.

The Client IP Range may be all the IP addresses a VPN server would assign to anyclient.

For example, an internal client can access the Internet if Client IP Range isconfigured. When an internal user contacts a Web site, the site can respond tothe client because its IP address is outside the client IP range. Therefore theinternal user does not need to be authenticated.

Authentication of a subset of clientsYou may want the Gateway Enforcer appliance to authenticate a limited subsetof clients. This is especially useful when clients are deployed over a long periodof time.

You can have the Gateway Enforcer appliance check only those clients that connectthrough one subnet if you have already installed the clients on all of the computers.Other clients accessing the corporate network at that location are allowed to passthrough without requiring authentication. As the client is installed on otherclients, you can add their addresses to the Client IP Range or use a differentauthentication strategy.

About trusted IP addressesYou work with the following types of trusted IP addresses on a Gateway Enforcer:

■ Trusted external IP addressesA trusted external IP address is the IP address of an external computer thatis allowed to access the corporate network without running the client.

■ Trusted internal IP addressesA trusted internal IP address is the IP address of a computer within thecorporate network that any client can access from the outside.


You can add trusted IP addresses of both type by on the Symantec EndpointProtection Manager Console. Traffic to the Symantec Endpoint Protection Manageris always allowed from the Gateway Enforcer appliance.

Trusted external IP addressesOne of the primary duties of a Gateway Enforcer appliance is to check that allcomputers that try to access the network are running the client. Some computers,such as certain servers, may not be running the Windows operating system ormay not be running the client.

For example, VPN and wireless servers do not typically run the client. In addition,a network setup may include the devices that normally access the network andrun an operating system other than Windows. If these computers need to bypassa Gateway Enforcer appliance, you need to make sure that the Gateway Enforcerappliance knows about them. You can accomplish this objective by creating arange of trusted external IP addresses. In addition, you must also assign an IPaddress from that IP address range to a client.

Trusted internal IP addressesA trusted internal IP address represents the IP address of a computer inside thecorporate network that external clients can access from the outside. You can makecertain internal IP addresses into trusted internal IP addresses.

When you specify trusted internal IP addresses, clients can get to that IP addressfrom outside the corporate network whether or not:

■ The client software has been installed on the client computer

■ The client complies with a security policy

Trusted internal IP addresses are the internal IP addresses that you want usersoutside the company to be able to access.

Examples of internal addresses that you may want to specify as trusted IPaddresses are as follows:

■ An update server

■ A file server that contains antivirus signature files

■ A server that is used for remediation

■ A DNS or WINS server that is required to resolve domain or host names

When a client tries to access the internal network and does not get authenticatedby the Gateway Enforcer appliance, the client can be placed in quarantine underthe following circumstances:


110

■ The client is not running the client software on the client computer

■ The Host Integrity check failed

■ The client does not have an up-to-date policy

The client is still allowed to access certain IP addresses; these are the trustedinternal IP addresses.

For example, the concept of trusted internal IP addresses may have an externalclient that needs to access the corporate network to get the client or other softwarethat it needs. The Gateway Enforcer appliance allows the external client to get toa computer that is on the list of trusted internal IP addresses.

Adding client IP address ranges to the list of addresses that requireauthentication

You can specify those clients with IP addresses to which the Gateway Enforcerappliance will authenticate.

You want to be aware of the following issues:

■ You must check the Enable option that is located next to the IP address orrange if you want that address to be authenticated. If you want to temporarilydisable authentication of an address or range, uncheck Enable.

■ If you type an invalid IP address, you receive an error message when you tryto add it to the Client IP list.

To restrict a client's network access despite authentication



3 In the Admin page, under View Servers, select and expand the GatewayEnforcer appliance groups.


5 In the Gateway Settings dialog box, on the Auth Range tab, in the AuthenticateClient IP Range area, check Only authenticate clients with these IP addresses.

If you do not check this option, any IP addresses listed are ignored. Thereforeall clients who try to connect to the network are authenticated. If you checkthis option, the Gateway Enforcer appliance authenticates only the clientswith the IP addresses that are added to the list.

6 Click Add.


7 In the Add Single IP Address dialog box, select from Single IP address to IPRange or Subnet.

The fields change to enable you to enter the appropriate information.

8 Select whether to add:

■ A single IP address

■ An IP range

■ An IP address plus subnet mask

9 Type either a single IP address, a start and end address of a range, or an IPaddress plus subnet mask.

10 Click OK.

The address information you typed is added to the Client IP Range table, withthe Enable option selected.

11 Continue to click Add and specify any other IP addresses or ranges ofaddresses that you want the Gateway Enforcer to authenticate.

12 Click OK.

Editing client IP address ranges on the list of addresses that requireauthentication

You may need to edit client IP address ranges that you want to be authenticated.

To edit client IP address ranges on the list of addresses that require authentication




4 Select the group of Enforcers for which you want to edit client IP addressranges on the list of addresses that require authentication.


6 In the Gateway Settings dialog box, on the Auth Range tab, in the Client IPRange area, click anywhere in the column of IP addresses and click Edit all.

7 Click OK.

8 In the Gateway Settings dialog box, click OK.


112

Removing client IP address ranges from the list of addresses thatrequire authentication

You may need to remove client IP address ranges.

To remove client IP address ranges from the list of addresses that requireauthentication




4 Select the group of Gateway Enforcer appliances for which you want to editclient IP address ranges on the list of addresses that require authentication.


6 In the Gateway Settings dialog box, on the Auth Range tab, in the Client IPRange area, click the row containing the IP address that you want to remove.

7 Click Remove.

8 Click OK.

Adding a trusted internal IP address for clients on a managementserver

The Trusted Internal IP table has a list of internal IP addresses that externalclients are allowed to communicate with, regardless of whether a client currentlyruns or has passed the Host Integrity check.

If you run two Gateway Enforcer appliances in a series so that a client connectsthrough more than one Gateway Enforcer appliance, the Gateway Enforcerappliance closest to the Symantec Endpoint Protection Manager needs to bespecified as a trusted internal IP address of the other Gateway Enforcer appliance.If a client first fails a Host Integrity check and then passes it, you may have up toa five-minute delay before a client can connect to the network.

To add a trusted internal IP address for clients on a management server




4 Select the Gateway Enforcer appliance group for which you want to edit clientIP address ranges on the list of addresses that require authentication.



6 In the Gateway Settings dialog box, on the Auth Range tab, in the Trusted IPRange area, select Trusted Internal IP Range from the drop-down list.

7 Click Add.

8 In the IP Address Settings dialog box, type an IP address or address range.

9 Click OK

The IP address is added to the list and a check mark appears in the Enablecolumn.


Specifying trusted external IP addressesIf you add trusted external IP addresses, the Gateway Enforcer appliance allowsclients at these IP addresses to connect to the network even if they do not run anyclient software.

Because a client is not installed on VPN servers, you should add the server IP tothe trusted IP list if you have a VPN server requiring network access through aGateway Enforcer.

If you enter an invalid IP address, you receive an error message.

Note:You need to add the corporate VPN server’s internal IP address in the Trustedexternal IP Addresses field first.

To specify trusted external IP addresses




4 Select the group of Enforcers for which you want to specify trusted externalIP addresses.


6 In the Gateway Settings dialog box, on the Auth Range tab, in the Trusted IPRange area, select Trusted External IP Range from the drop-down list.

7 Click Add.

8 In the IP Address Settings dialog box , type an IP address or address range.


114

9 Click OK.

The IP address is added to the list and a check mark appears in the Enablecolumn.


Editing trusted internal or external IP addressYou may need to edit trusted internal as well as external IP addresses.

To edit a trusted internal or external IP address




4 Select the group of Enforcers for which you want to edit a trusted internalor external IP address.


6 In the Gateway Settings dialog box, on the Auth Range tab, in the Trusted IPRange area, select Trusted External IP Range or Trusted External IP Rangefrom the drop-down list.

The addresses for the selected type appear in the table.

7 In the Trusted IP Range table, click anywhere in the column of IP addressesand click Edit all.

8 In the IP Address Editor dialog box, locate any addresses you want to changeand edit them.

9 Click OK.


Removing a trusted internal or trusted external IP addressIf you no longer want to allow external users who are not fully authenticated tohave access to a particular internal location, you can remove the IP address fromthe Trusted Internal IP Address table.

To remove a trusted internal IP or trusted external IP address




3 In the Admin page, under View Servers, select and expand the GatewayEnforcer appliance group.

4 Select the group of Gateway Enforcer appliances for which you want to removea trusted internal IP or trusted external IP address.


6 In the Gateway Settings dialog box, on the Auth Range tab, in the Trusted IPRange area, select Trusted External IP Range or Trusted External IP Rangefrom the drop-down list.

The addresses for the selected type appear in the table.

7 In the table, click the row containing the IP address that you want to remove.

8 Click Remove.


IP range checking orderIf both Client IP Range and Trusted Internal IP addresses are in use, the GatewayEnforcer appliance checks client addresses in the following order when a packetis received from a client:

■ If the Client IP Range is enabled, the Gateway Enforcer appliance checks theClient IP Range table for an address matching the source IP of the client.

■ If the Client IP Range does not include an IP address for that client, the GatewayEnforcer appliance allows the client without authentication.

■ If the Client IP Range does include an IP address for that client, the GatewayEnforcer appliance next checks the Trusted External IP Range for a matchingaddress.

■ If an address matching the client is found in the Trusted External IP Range,the Gateway Enforcer appliance allows the client.

■ If no matching address is found in the Trusted External IP Range, the GatewayEnforcer appliance then checks the destination address against the TrustedInternal IP Range list and the list of Symantec Endpoint Protection Managers.If a matching address is still not located, the Gateway Enforcer appliancebegins the authentication session and sends the challenge packet.

Using advancedGatewayEnforcer appliance settingsYou can configure the following advanced Gateway Enforcer applianceconfiguration settings:

Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing advanced Gateway Enforcer appliance settings

116

■ Allow all DHCP request packets.

■ Allow all DNS request packets.

■ Allow all ARP request packets.

■ Allow other protocols besides IP and ARP.You can specify the types of protocols that you want to allow in the Filter field.See “Specifying packet types and protocols” on page 117.

■ Allowing legacy clientsSee “Allowing a legacy client to connect to the network with a Gateway Enforcerappliance” on page 118.

■ Enabling local authenticationSee “Enabling local authentication on a Gateway Enforcer appliance”on page 119.

When you apply the settings, the changes that have made are sent to the selectedGateway Enforcer appliance during the next heartbeat.

Specifying packet types and protocolsYou can specify that the Gateway Enforcer appliance allows certain packet typesto pass through without requiring a client to run or require authentication.

To specify packet types and protocols



3 In the Admin page, under View Servers, select and expand the GatewayEnforcer appliance group.

4 Select the group of Gateway Enforcer appliances for which you want to specifypacket types and protocols.


6 In the Gateway Settings dialog box, on the Advanced tab, check or uncheckthe following packet types or protocols:

■ Allow all DHCP request packets.When enabled, the Gateway Enforcer appliance forwards all DHCP requestsfrom the external network into the internal network. Because disablingthis option prevents the client from getting an IP address, and since theclient requires an IP address to talk to a Gateway Enforcer appliance, itis recommended that this option remain enabled.The default setting is enabled.

117Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing advanced Gateway Enforcer appliance settings

■ Allow all DNS request packets.When enabled, the Enforcer forwards all DNS requests from the externalnetwork into the internal network. This option must be enabled if theclient is configured to communicate with the Symantec EndpointProtection Manager by name rather than by IP address. This option mustalso be enabled if you want to use the HTTP redirect requests option onthe Authentication tab.The default setting is enabled.

■ Allow all ARP request packets.When this option enabled, the Gateway Enforcer appliance allows all ARPpackets from the internal network. Otherwise the Gateway Enforcerappliance treats the packet as a normal IP packet and uses the sender IPas source IP and target IP as destination IP and carries out theauthentication process.The default setting is enabled.

■ Allow other protocols besides IP and ARP.When this option is enabled, the Gateway Enforcer appliance forwardsall packets with other protocols. Otherwise it drops them.The default setting is disabled.If you checked Allow other protocols besides IP and ARP, you may wantto complete the Filter field.

7 Click OK.

Allowing a legacy client to connect to the network with a GatewayEnforcer appliance

You can enable a Gateway Enforcer appliance to connect to 5.1.x legacy clients.If your network supports an 11.0.2 Symantec Endpoint Protection Manager, aSymantec Gateway Enforcer appliance, and needs to support 5.1.x legacy clients,you can enable the support of 5.1.x legacy clients on the management serverconsole so that the Symantec Gateway Enforcer appliance does not block them.

To allowa legacy client to connect to the networkwith aGateway Enforcer appliance



3 In the Admin page, under View Servers, select and expand the group ofGateway Enforcers appliances.



118

5 In the Settings dialog box, on the Advanced tab, check Allow legacy clients.

6 Click OK.

Enabling local authentication on a Gateway Enforcer applianceWith local authentication enabled, the Gateway Enforcer appliance loses itsconnection with the server on which the Symantec Endpoint Protection Manageris installed. Therefore the Gateway Enforcer appliance authenticates a clientlocally.

To enable local authentication on a Gateway Enforcer appliance



3 In the Admin page, under View Servers, select and expand the group ofGateway Enforcers appliances.


5 In the Settings dialog box, on the Advanced tab, check Enable LocalAuthentication.

6 Click OK.

119Configuring the Symantec Gateway Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing advanced Gateway Enforcer appliance settings


120

Configuring the SymantecDHCP Enforcer applianceon the Symantec EndpointProtection ManagerConsole


■ About configuring the Symantec DHCP Enforcer appliance on the SymantecEndpoint Protection Manager Console

■ Changing DHCP Enforcer appliance configuration settings on a managementserver


■ Using authentication settings

■ Using DHCP servers settings

■ Using advanced DHCP Enforcer appliance settings

7Chapter

About configuring the Symantec DHCP Enforcerappliance on the Symantec Endpoint ProtectionManager Console

You can add or edit the configuration settings for the DHCP Enforcer appliancein the Symantec Endpoint Protection Manager Console.



■ Connect the Symantec DHCP Enforcer appliance to the network.See “To set up an Enforcer appliance” on page 76.

■ Configure the Symantec DHCP Enforcer appliance on the Enforcer consoleduring the installation.See “To configure an Enforcer appliance” on page 78.

After you finish these tasks, you can specify additional configuration settings forthe DHCP Enforcer appliance on a management server.

Changing DHCP Enforcer appliance configurationsettings on a management server

You can change the DHCP Enforcer appliance configuration settings on amanagement server. The configuration settings are automatically downloadedfrom the management server to the DHCP Enforcer appliance during the nextheartbeat.

To changeDHCPEnforcer appliance configuration settings on amanagement server



3 In the Admin page, under View Servers, select the DHCP Enforcer appliancegroup of which the DHCP Enforcer appliance is a member.

The DHCP Enforcer appliance group must include the DHCP Enforcerappliances whose configuration settings need to be changed.

Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleAbout configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager Console

122

4 In the Admin page, under View Servers, select the DHCP Enforcer appliancewhose configuration settings need to be changed.



The DHCP Enforcer Settings dialog box provides the following categories ofconfiguration settings:

Settings for the description of the DHCP Enforcer appliancegroup and management server list.


General

Settings for a variety of parameters that affect the clientauthentication process.

See “Using authentication settings” on page 127.

Authentication

Settings that specify the IP address, port number, andpriority for normal and quarantine DHCP servers. Thisinformation is required.

You must configure information about the DHCP serverbefore you can begin enforcement.

See “Using DHCP servers settings” on page 136.

DHCP Servers

Settings for authentication timeout parameters and DHCPmessage timeouts.

Settings for MAC addresses for the trusted hosts that theDHCP Enforcer appliance allows to connect withoutauthentication (optional).

Settings for DNS Spoofing, and Local Authentication.

See “Using advanced DHCP Enforcer appliance settings”on page 140.

Advanced

Settings for enabling logging of Server logs, Client Activitylogs, and specifying log file parameters.




Log settings

123Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleChanging DHCP Enforcer appliance configuration settings on a management server

Using general settingsYou can add or edit the description of a DHCP Enforcer or a DHCP Enforcer groupin the Symantec Endpoint Protection Manager Console.

See “Adding or editing the name of an Enforcer group with a DHCP Enforcer”on page 124.

See “Adding or editing the description of an Enforcer group with a DHCP Enforcer”on page 124.

However, you cannot add or edit the name of a DHCP Enforcer group in theSymantec Endpoint Protection Manager Console. You cannot add or edit the IPaddress or host name of a DHCP Enforcer in the Symantec Endpoint ProtectionManager Console. Instead, you must perform these tasks on the Enforcer console.

See “Adding or editing the IP address or host name of a DHCP Enforcer” on page 125.

You can also add or edit the IP address or host name of a Symantec EndpointProtection Manager in a management server list.

See “Connecting the DHCP Enforcer to a Symantec Endpoint Protection Manager”on page 125.

Adding or editing the name of an Enforcer group with a DHCP EnforcerYou can add or edit the name of an Enforcer group of which a DHCP Enforcerappliance is a member. You perform these tasks on the Enforcer console duringthe installation. Later, if you want to change the name of an Enforcer group, youcan do so on the Enforcer console.

See the Enforcer Implementation Guide for Symantec Network Access Control forinformation on how to add or edit the name of an Enforcer group.

All Enforcers in a group share the same configuration settings.

Adding or editing the description of an Enforcer group with a DHCPEnforcer

You can add or edit the description of an Enforcer group of which a SymantecDHCP Enforcer appliance is a member. You can perform this task on the SymantecEndpoint Protection Manager Console instead of the DHCP Enforcer console.

To add or edit the description of an Enforcer group with a DHCP Enforcer



Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing general settings

124

3 In the Admin page, under View Servers, select and expand the Enforcer groupwhose description you want to add or edit.


5 In the Settings dialog box, on the Basic Settings tab, add or edit a descriptionfor the Enforcer group in the Description field.


Adding or editing the IP address or host name of a DHCP EnforcerYou can only change the IP address or host name of a DHCP Enforcer on theEnforcer console during the installation. Later, if you want to change the IP addressor host name of a DHCP Enforcer, you can do so on the DHCP Enforcer console.

See the Enforcer Implementation Guide for Symantec Network Access Control formore information.

Adding or editing the description of a DHCP EnforcerYou can add or edit the description of a DHCP Enforcer. You can perform this taskon the Symantec Endpoint Protection Manager Console instead of the DHCPEnforcer console. After you complete this task, the description appears in theDescription field of the Management Server pane.

To add or edit the description of a DHCP Enforcer



3 In the Admin page, under View Servers, select and expand the Enforcer groupthat includes the DHCP Enforcer whose description you want to add or edit.

4 In the Admin page, under View Servers, select the DHCP Enforcer whosedescription you want to add or edit.


6 In the Enforcer Properties dialog box, add or edit a description for the DHCPEnforcer in the Description field.

7 In the Enforcer Properties dialog box, click OK.

Connecting the DHCP Enforcer to a Symantec Endpoint ProtectionManager

Enforcers must be able to connect to servers on which the Symantec EndpointProtection Manager is installed. The Symantec Endpoint Protection Manager

125Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing general settings

includes a file that helps manage the traffic between clients, Symantec EndpointProtection Managers, and optional Enforcers such as a DHCP Enforcer.

This file is called a management server list. The management server list specifiesto which Symantec Endpoint Protection Manager server a DHCP Enforcer connects.It also specifies to which Symantec Endpoint Protection server a DHCP Enforcerconnects in case of a management server's failure.


A default management server list includes the management server's IP addressesor host names to which DHCP Enforcers can connect after the initial installation.You may want to create a custom management server list before you deploy anyEnforcers. If you create a custom management server list, you can specify thepriority in which a DHCP Enforcer can connect to management servers.

You can select the specific management server list that includes the IP addressesor host names of those management servers to which you want the DHCP Enforcerto connect. If there is only one management server at a site, then you can selectthe default management server list.


To connect the DHCP Enforcer to a Symantec Endpoint Protection Manager




The Enforcer group must include the DHCP Enforcer for which you want tochange the IP address or host name in a management server list.


5 In the Settings dialog box, on the Basic Settings tab, under Communication,select the management server list that you want this DHCP Enforcer to use.

6 In the Settings dialog box, on the Basic Settings tab, under Communication,click Preview.


Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing general settings

126



Using authentication settingsYou can specify a number of authentication settings for a DHCP Enforcerauthentication session. When you apply these changes, they are automaticallysent to the selected DHCP Enforcer during the next heartbeat.



Table 7-1 Authentication configuration settings for a DHCP Enforcer

DescriptionOption

The maximum number of challenge packets that the DHCPEnforcer sends in each authentication session.

The default number is 10.



The time (in seconds) between each challenge packet thatthe Enforcer sends.

The default value is 3.


Time between packets inauthentication session

If this option is enabled, the Enforcer authenticates all usersby checking that they are running a client. The DHCPEnforcer also checks if the client passed the Host Integritycheck. If the client passes the Host Integrity check, the DHCPEnforcer then logs the results. It then forwards the DHCPrequest to receive a normal rather than a quarantinenetwork configuration, whether the checks pass or fail.




127Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing authentication settings

Table 7-1 Authentication configuration settings for a DHCP Enforcer(continued)

DescriptionOption

If this option is enabled, the DHCP Enforcer checks for theoperating system of the client. The DHCP Enforcer thenallows all clients that do not run the Windows operatingsystems to receive a normal network configuration withoutbeing authenticated. If this option is not enabled, the clientsreceive a quarantine network configuration.




If this option is enabled, the DHCP Enforcer verifies thatthe client has received the latest security policies from themanagement server. If the policy serial number is not thelatest, the DHCP Enforcer notifies the client to update itssecurity policy. The client then forwards the DHCP requestto receive a quarantine network configuration.

If this option is not enabled and the Host Integrity check issuccessful, the DHCP Enforcer forwards the DHCP requestto receive a normal network configuration. The DHCPEnforcer forwards the DHCP request even if the client doesnot have the latest security policy.


See “Having the DHCP Enforcer check the Policy SerialNumber on a client” on page 134.

Check Policy Serial Numberon Client before allowingClient into network

If this option is enabled, a message appears to users onWindows computers that try to connect to an enterprisenetwork without running a client. The default message isset to display only one time. The message tells the usersthat they are blocked from accessing the network becausea client is not running and tells them to install it. To editthe message or to change how often it is displayed, you canclick Message. The maximum message length is 128characters.


See “Sending a message from a DHCP Enforcer applianceto a client about non-compliance” on page 135.


Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing authentication settings

128

About Authentication sessionsWhen a client tries to access the internal network, the DHCP Enforcer appliancefirst detects whether the client is running a client. If it is, the DHCP Enforcerappliance forwards the client DHCP message to the DHCP server to obtain aquarantine IP address with a short lease time. This process is used internally bythe DHCP Enforcer appliance for its authentication process.

The DHCP Enforcer appliance then begins its authentication session with theclient. An authentication session is a set of challenge packets that the DHCPEnforcer appliance sends to a client.

During the authentication session, the DHCP Enforcer appliance sends a challengepacket to the client at a specified frequency.

The default setting is every three seconds.

The DHCP Enforcer appliance continues to send packets until one of the followingconditions are met:

■ The DHCP Enforcer appliance receives a response from the client

■ The DHCP Enforcer appliance has sent the maximum number of packetsspecified.The default setting is 10.

The frequency (3 seconds) times the number of packets (10) is the value that isused for the DHCP Enforcer appliance's heartbeat. The heartbeat is the intervalthat the DHCP Enforcer appliance allows the client to remain connected beforeit starts a new authentication session.

The default setting is 30 seconds.

The client sends information to the DHCP Enforcer appliance that contains thefollowing items:

■ Unique identification (UID)

■ Its current Profile Serial Number

■ The results of the Host Integrity check

The DHCP Enforcer appliance verifies the client UID and the Policy Serial Numberwith the Symantec Endpoint Protection Manager. If the client is updated with thelatest security policies, its Policy Serial Number matches the one that the DHCPEnforcer appliance receives from the management server. The Host Integritycheck results show whether or not the client complies with the current securitypolicies.

If the client information passes the authentication requirements, the DHCPEnforcer appliance forwards its DHCP request to the DHCP server. The DHCP


Enforcer appliance expects to receive a normal DHCP network configuration.Otherwise the DHCP Enforcer appliance forwards it to the quarantine DHCP serverto receive a quarantine network configuration.

You can install one DHCP server on one computer and configure it to provide botha normal and a quarantine network configuration.See “Installation planning fora DHCP Enforcer appliance” on page 52.

After the heartbeat interval or whenever the client tries to renew its IP address,the DHCP Enforcer appliance starts a new authentication session. The client mustrespond to retain the connection to the internal network.

The DHCP Enforcer appliance disconnects the clients that do not respond.

For the clients that were previously authenticated but now fail authentication,the DHCP Enforcer appliance sends a message to the DHCP server. The messageis a request for the release of the current IP address. The DHCP Enforcer appliancethen sends a DHCP message to the client. The client then sends a request for anew IP address and network configuration to the DHCP Enforcer appliance. TheDHCP Enforcer forwards this request to the quarantine DHCP server.


During the authentication session, the DHCP Enforcer appliance sends a challengepacket to the client at a specified frequency.

The DHCP Enforcer appliance continues to send packets until the followingconditions are met:


■ The DHCP Enforcer appliance has sent the specified maximum number ofpackets.

The default setting for the maximum number of challenge packets for anauthentication session: 10.





130


The DHCP Enforcer appliance group must include the DHCP Enforcer forwhich you want to specify the maximum number of challenge packets duringan authentication session.


5 On the Authentication tab, under Authentication Parameters, type themaximum number of challenge packets to be allowed during an authenticationsession in the field Maximumnumberofpacketsperauthenticationsession.

The default setting is 10.


Specifying the frequency of challenge packets to be sent to clientsDuring the authentication session, the DHCP Enforcer appliance sends a challengepacket to the client at a specified frequency.

The DHCP Enforcer appliance continues to send packets until the followingconditions are met:


■ The DHCP Enforcer appliance has sent the specified maximum number ofpackets.

The default setting is every 3 seconds.





The DHCP Enforcer appliance group must include the DHCP Enforcerappliance for which you want to specify the frequency of challenge packetsto be sent to clients.



5 On the Authentication tab, under Authentication Parameters, type themaximum number of challenge packets the DHCP Enforcer is to keep sendingto a client during an authentication session in the field Timebetweenpacketsin authentication session.



Allowing all clients with continued logging of non-authenticated clientsIt can take some time to deploy all the client software. You can configure the DHCPEnforcer appliance to allow all clients to connect to the network after you distributethe client package to all users. These users all connect to a DHCP server at thelocation of this DHCP Enforcer appliance.

The DHCP Enforcer appliance still authenticates all users by checking that theyare running a client, checking Host Integrity, and logging the results. It forwardsthe DHCP requests to receive the normal DHCP server network configurationinstead of the quarantine network configuration. This process occurs regardlessof whether the Host Integrity checks pass or fail.









The Enforcer group must include the DHCP Enforcer for which you want toallow all clients while continuing the logging of non-authenticated clients.



132



6 Click OK.


The DHCP Enforcer appliance cannot authenticate a client that is running anon-Windows operating system. Therefore non-Windows clients cannot connectto the network unless you specifically allow them to connect to the networkwithout authentication.





The DHCP Enforcer appliance detects the operating system of the client andauthenticates Windows clients. However, it does not allow non-Windows clientsto connect to the normal DHCP server without authentication.





The DHCP Enforcer appliance group must include the DHCP Enforcerappliance for which you want to allow all non-Windows clients to connect toa network.




6 Click OK.


Having the DHCP Enforcer check the Policy Serial Number on a clientThe Symantec Endpoint Protection Manager updates a client’s Policy SerialNumber every time that the client's security policy changes. When a client connectsto the Symantec Endpoint Protection Manager, it receives the latest securitypolicies and the latest Policy Serial Number.

When a client tries to connect to the network through the DHCP Enforcerappliance, the DHCP Enforcer appliance retrieves the Policy Serial Number fromthe Symantec Endpoint Protection Manager. The DHCP Enforcer appliance thencompares the Policy Serial Number with the one that it receives from the client.If the Policy Serial Numbers match, the DHCP Enforcer appliance has validatedthat the client is running an up-to-date security policy.



■ If the Check the Policy Serial Number on Client before allowing Client intonetwork option is checked, a client must have the latest security policy beforeit can connect to the network through the normal DHCP server. If the clientdoes not have the latest security policy, the client is notified to download thelatest policy. The DHCP Enforcer appliance then forwards its DHCP requestto receive a quarantine network configuration.

■ If the Check the Policy Serial Number on Client before allowing Client intonetwork option is not checked and the Host Integrity check is successful, aclient can connect to the network. The client can connect through the normalDHCP server even if its security policy is not up to date.

To have the DHCP Enforcer check the Policy Serial Number on a client




The DHCP Enforcer appliance group must include the DHCP Enforcerappliance that checks the Policy Serial Number on a client.


5 Click OK.


134

Sending a message from a DHCP Enforcer appliance to a client aboutnon-compliance

You can inform the client that cannot connect to the network with a Windowspop-up message. The message typically tells the end user that a client cannotconnect to the network. The client cannot connect to the network because it doesnot run the Symantec Endpoint Protection client or the Symantec Network AccessControl client.

Most administrators type a brief statement of the need to run the SymantecEndpoint Protection client or the Symantec Network Access Control client. Themessage may include information about a download site where end users candownload the required client software. You can also provide a contact telephonenumber and other relevant information.

This setting is enabled by default. It applies only to clients that do not run theSymantec Endpoint Protection client or the Symantec Network Access Controlclient.

As soon as you complete this task, the pop-up message appears on the clientprovided the Windows Messenger service is running on the client.

To sendamessage fromaDHCPEnforcer appliance to a client about non-compliance





5 In the Settings dialog box, on the Authentication tab, check Enable pop-upmessage on client if Client is not running.

6 In the Settings dialog box, on the Authentication tab, click Message.

7 In the Pop-up Message Settings dialog box, select how often the message isto appear on a client.

You can select any of the following time periods:

■ OnceThe default value is Once.

■ Every 30 seconds

■ Every minute

■ Every 2 minutes

■ Every 5 minutes


■ Every 10 minutes

8 Type the message that you want to appear in the text box.

The maximum number of characters is 125. This number includes spaces andpunctuation.

The default message is:

You are blocked from accessing the network because you

do not have the Symantec Client running. You will need to

install it.

9 In the Pop-up Message Settings dialog box, click OK.


Using DHCP servers settingsYou can specify a number of DHCP server settings. When you apply these changes,they are automatically sent to the selected DHCP Enforcer appliance during thenext heartbeat.

About using DHCP servers settingsYou can specify up to 256 DHCP servers. If you specify multiple DHCP servers,you can provide failover and load balancing. You can use the DHCP Server Prioritysetting to have the DHCP Enforcer appliance send DHCP requests to multipleDHCP servers at the same time.

You can also set up normal and quarantine DHCP servers on separate computersor on one computer. If a client is authorized to connect to the network, the normalDHCP server assigns an IP address to the client. If you set up a quarantine DHCPserver, an unauthorized client can still connect to the network. However, theunauthorized client can only communicate with limited computers in the network.

See “Adding a normal DHCP server” on page 138.

See “Adding a quarantine DHCP server” on page 139.

If you plan to set up a normal and quarantine DHCP server on the same computer,you must check the Enable User Class ID option.

If you check the Enable User Class ID option, the DHCP Enforcer appliance addsa quarantine user class in the DHCP messages. These DHCP messages areforwarded to the DHCP server. The DHCP server then assigns the quarantineconfiguration to the client that is based on the presence of this user class ID. You

Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing DHCP servers settings

136

can use one DHCP server that functions as both a normal and as a quarantineDHCP server.

See “Combining a normal and a quarantine DHCP server on one computer”on page 137.

If you uncheck the Enable User Class ID option, you need to set up two separateDHCP servers. One of the DHCP servers functions as a normal DHCP server. Thesecond DHCP server functions as a quarantine DHCP server.

See “Enabling separate normal and quarantine DHCP servers” on page 137.

Combining a normal and a quarantine DHCP server on one computerThe Enable User Class ID option enables you to set up a normal and a quarantineDHCP server on one computer. You therefore need fewer computers to achievemaximum security.

To combine a normal and a quarantine DHCP server on one computer





5 In the Settings dialog box, on the DHCP Servers tab, check EnableUserClassID.

6 In the Settings dialog box, on the DHCP Servers tab, click OK.

Enabling separate normal and quarantine DHCP serversThe Enable User Class ID option enables you set up separate normal DHCP serversas well as quarantine DHCP servers. You therefore can achieve maximum securityif the traffic in a network demands it.

To enable separate normal and quarantine DHCP servers





137Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing DHCP servers settings

5 In the Settings dialog box, on the DHCP Servers tab, uncheck Enable UserClass ID.

6 Click OK.

Adding a normal DHCP serverThe information for the normal DHCP server appears as a row in a table in theSettings dialog box.

To add a normal DHCP server





5 In the Settings dialog box, on the DHCP Servers tab, under Normal DHCPServers, click Add.

6 In the Add DHCP Server dialog box, check Enable if not already checked.

7 Type the IP address or host name of the DHCP server in the DHCP server IPtext box.

8 Type the port number of the DHCP server in the DHCP server port text box.

The default port setting on the DHCP server is 67.

Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing DHCP servers settings

138

9 Select the Priority Number for the DHCP server in the DHCP server prioritytext box.

The default setting for the Priority is 1.

If you use one DHCP server on one computer as both a normal and quarantineDHCP server, add the DHCP server in this dialog box as both a normal andquarantine DHCP server. You fill in the same information in the Add DHCPServer dialog box for both types of DHCP servers.

You can assign a priority from 0 through 15 to a DHCP server. This settingis used for load balancing. If you configure two DHCP servers with the samepriority, the DHCP Enforcer forwards the request to both DHCP servers atthe same time. If one DHCP server is busy, the other can respond. If youconfigure multiple DHCP servers with different priorities, the DHCP Enforcerfirst forwards DHCP requests to the DHCP server that has the highest priority.The DHCP server then forwards the DHCP requests to the others.

10 Click OK.

In the Settings dialog box, on the DHCP Servers tab, click OK.

Adding a quarantine DHCP serverThe information for the normal DHCP server appears as a row in a table in theSettings dialog box.

To add a quarantine DHCP server





5 In the Settings dialog box, on the DHCP Servers tab, under Quarantine DHCPServers, click Add.

6 In the Add DHCP Server dialog box, check Enable if not already checked.

7 Type the IP address or host name of the DHCP server in the DHCP server IPtext box.

8 Type the port number of the DHCP server in the DHCP server port text box.

The default port setting on the DHCP server is 67.

139Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing DHCP servers settings

9 Select the Priority Number for the DHCP server in the DHCP server prioritytext box.

The default setting for the Priority is 1.

If you use one DHCP server on one computer as both a normal and quarantineDHCP server, add the DHCP server in this dialog box as both a normal andquarantine DHCP server. You fill in the same information in the Add DHCPServer dialog box for both types of DHCP servers.

You can assign a priority from 0 through 15 to a DHCP server. This settingis used for load balancing. If you configure two DHCP servers with the samepriority, the DHCP Enforcer forwards the request to both DHCP servers atthe same time. If one DHCP server is busy, the other can respond. If youconfigure multiple DHCP servers with different priorities, the DHCP Enforcerappliance first forwards the DHCP requests to the DHCP server that has thehighest priority and then to the others.

10 Click OK.

In the Settings dialog box, on the DHCP Servers tab, click OK.

Using advanced DHCP Enforcer appliance settingsYou can configure the following advanced DHCP Enforcer appliance configurationsettings:

■ Authentication timeoutSee “Setting up an automatic quarantine for a client that fails authentication”on page 141.

■ DHCP message timeoutSee “To specify a DHCP Enforcer appliance's wait period before grants a clientaccess to the network” on page 141.

■ MAC addresses for the trusted hosts that the DHCP Enforcer allows to connectto the normal DHCP server without authenticationSee “Enabling servers, clients, and devices to connect to the network as trustedhosts without authentication” on page 142.

■ Enabling DNS spoofingSee “Preventing DNS spoofing” on page 143.

■ Allowing legacy clientsSee “Allowing a legacy client to connect to the network with a DHCP Enforcerappliance” on page 144.

■ Enabling local authentication

Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing advanced DHCP Enforcer appliance settings

140

See “Enabling local authentication on the DHCP Enforcer appliance” on page 144.

When you apply any of these configuration settings, the changes are sent to theselected DHCP Enforcer during the next heartbeat.

Setting up an automatic quarantine for a client that fails authenticationYou can specify how long a DHCP Enforcer appliance waits for a response froma client. The response verifies whether or not the Symantec Endpoint Protectionclient or the Symantec Network Access Control client has been installed. If theDHCP Enforcer appliance considers that the client software has not been installedduring the interval that you specify, the client is kept in quarantine.

To set up an automatic quarantine for a client that fails authentication




4 In the Symantec Endpoint Protection Manager Console, under View Servers,select the DHCP Enforcer appliance for which you want to set theconfiguration setting.


6 In the Settings dialog box, on the Advanced tab, under Timeout Parameters,check Authentication timeout.

The default setting is three seconds.

7 Click OK.

Specifying a DHCP Enforcer appliance's wait period before it grants aclient access to the network

You can specify how long a DHCP Enforcer appliance needs to wait for a responseafter it sends DHCP messages to a client or a DHCP server. If a DHCP Enforcerappliance does not receive a response after a designated interval, it resets itsinternal status about the client or DHCP server. Therefore the DHCP Enforcerappliance can only receive an initial message.

To specify a DHCP Enforcer appliance's wait period before grants a client accessto the network



141Configuring the Symantec DHCP Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing advanced DHCP Enforcer appliance settings


4 In the Admin page, under View Servers, select the DHCP Enforcer appliancefor which you want to set the configuration setting.


6 In the Settings dialog box, on the Advanced tab, under Timeout Parameters,check DHCP message timeout.

The default setting is three seconds.

7 Click OK.

Enabling servers, clients, and devices to connect to the network astrusted hosts without authentication

A trusted host is typically a server that cannot install the client software such asa non-Windows server, or a device such as a printer. You may also want to identifynon-Windows clients as trusted hosts because the DHCP Enforcer is unable toauthenticate any clients that do not run the Symantec Endpoint Protection clientor the Symantec Network Access Control client.

You can use MAC addresses to designate certain servers, clients, and devices astrusted hosts.

When you designate servers, clients, and devices as trusted hosts, the DHCPEnforcer appliance passes all DHCP messages from the trusted host to the normalDHCP server without authenticating the trusted host.

To enable servers, clients, and devices to connect to the network as trusted hostswithout authentication




4 In the Admin page, under View Servers, select the DHCP Enforcer appliancethat permits servers, clients, and the devices that have been designated astrusted hosts to connect to the network without authentication.


6 In the Settings dialog box, on the Advanced tab, under Trusted Hosts, clickAdd.


142

7 In the Add Trusted Host dialog box, type the MAC address for the client orthe trusted host in the Host MAC address field.

You can also copy MAC addresses from a text file.

When you specify a MAC address, you can use a wildcard character if youtype it for all three fields on the right.

For example, 11-22-23-*-*-* represents the correct use of the wildcardcharacter. However, 11-22-33-44-*-66 does not represent the correct use ofthe wildcard character.

8 Click OK.

9 In the Settings dialog box, on the Advanced tab, click OK.

The MAC address for the trusted host that you added now appears in theSettings dialog box in the MAC Address area.

10 Click OK.

Preventing DNS spoofingYou can attempt to prevent DNS spoofing. You accomplish this objective by havingthe DHCP Enforcer appliance modify the relevant DHCP messages that are sentto a client. The DHCP Enforcer appliance replaces the IP address of the DNS serverin the DHCP message with the DHCP Enforcer appliance’s external IP address.Therefore the DHCP Enforcer appliance acts as a DNS server to the clients andthus prevents DNS spoofing. This feature must be enabled if you want to deliverSymantec Network Access Control On-Demand clients from a DHCP Enforcer.

To prevent DNS spoofing






5 In the Settings dialog box, on the Advanced tab, check EnableDNSSpoofing.

The DHCP Enforcer appliance substitutes theofficially-requested IP address with its own external IPaddress. The DHCP Enforcer appliance acts as a domainname server (DNS) when it replies to a DNS query by usingthe DHCP Enforcer appliance's own IP address.

Use the Enforcer localIP address as the DNSrequest reply

The DHCP Enforcer appliance substitutes the officiallyrequested IP address with any of the IP addresses that youhave specified. The DHCP Enforcer appliance acts as adomain name server (DNS) when it replies to a DNS queryby using any of the IP addresses that you have specified.

Use the following IPaddresses as DNSrequest reply

6 Click OK.

Allowing a legacy client to connect to the network with a DHCP Enforcerappliance

You can enable a DHCP Enforcer appliance to connect to 5.1.x legacy clients. Ifyour network supports an 11.0.2 Symantec Endpoint Protection Manager, aSymantec DHCP Enforcer appliance, and needs to support 5.1.x legacy clients,you can enable the support of 5.1.x legacy clients on the management serverconsole so that the Symantec DHCP Enforcer appliance does not block them.

To allow a legacy client to connect to the network with a DHCP Enforcer appliance



3 In the Admin page, under View Servers, select and expand the group of DHCPEnforcers appliances.



6 Click OK.

Enabling local authentication on the DHCP Enforcer applianceWith local authentication enabled, the DHCP Enforcer appliance loses itsconnection with the server on which the Symantec Endpoint Protection Manageris installed. Therefore the DHCP Enforcer appliance authenticates a client locally.


144

To enable local authentication on the DHCP Enforcer appliance



3 In the Admin page, under View Servers, select and expand the group of DHCPEnforcers appliances.



6 Click OK.



146

Configuring the SymantecLAN Enforcer appliance onthe Symantec EndpointProtection ManagerConsole


■ About configuring the Symantec LAN Enforcer on the Symantec EndpointProtection Manager appliance console

■ About configuring RADIUS servers on a LAN Enforcer appliance

■ About configuring 802.1x wireless access points on a LAN Enforcer appliance

■ Changing LAN Enforcer configuration settings on a Symantec EndpointProtection Manager Console


■ Using RADIUS server group settings

■ Using switch settings

■ Using advanced LAN Enforcer appliance settings

■ Using 802.1x authentication

8Chapter

About configuring the Symantec LAN Enforcer on theSymantec Endpoint Protection Manager applianceconsole

You can add or edit the configuration settings for the LAN Enforcer in theSymantec Endpoint Protection Manager Console. The Symantec EndpointProtection Manager is also referred to as the management server.



■ Connect the Symantec LAN Enforcer appliance to the network.

■ Configure the Symantec LAN Enforcer appliance on the local LAN Enforcerconsole during the installation.

After you finish these tasks, you can specify all additional configuration settingsfor the LAN Enforcer appliance on a management server.

About configuring RADIUS servers on a LAN Enforcerappliance

You can modify the LAN Enforcer settings in the Symantec Endpoint Protectionconsole. The Enforcer must be installed and connected to the Symantec EndpointProtection Manager before you can configure it to enforce Host Integrity policieson the client.

You can configure the following options for the LAN Enforcer:

■ Define the Enforcer group name and description, listen port, and managementserver list.

■ Configure the RADIUS server or servers. You configure the host name or IPaddress, authentication port, and shared secret. If you configure multipleservers in the group and one goes down, the LAN Enforcer connects to thenext server in the list.

■ Configure a switch or group of switches.

■ Settings for enabling logging and specifying log file parameters.

Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleAbout configuring the Symantec LAN Enforcer on the Symantec Endpoint Protection Manager appliance console

148

■ Enable and disable local authentication.

■ Configure clients for 802.1x authentication.

If a setting refers to an 802.1x-aware switch, the same instructions apply toconfiguring wireless access points.

See “About configuring 802.1x wireless access points on a LAN Enforcer appliance”on page 149.

About configuring 802.1x wireless access points ona LAN Enforcer appliance

The LAN Enforcer appliance supports a number of wireless protocols, whichincludes WEP 56, WEP 128, and WPA/WPA2 with 802.1x.

You can configure a LAN Enforcer to protect the wireless access point (AP) asmuch as it protects a switch if the following conditions are true:

■ Network includes a wireless LAN Enforcer appliance with 802.1x.

■ Wireless clients run a supplicant that supports one of these protocols.

■ Wireless AP must support one of these protocols

For wireless connections, the authenticator is the logical LAN port on the wirelessAP.

You configure a wireless AP for 802.1x and for switches in the same way. Youinclude wireless APs to the LAN Enforcer settings as part of a switch profile.Wherever an instruction or part of the user interface refers to a switch, use thecomparable wireless AP terminology. For example, if you are instructed to selecta switch model, select the wireless AP model. If the vendor of the wireless AP islisted, select it for the model. If the vendor is not listed, choose Others.

The configuration for wireless AP for 802.1x and for switches include the followingdifferences:

■ Only basic configuration is supported.The transparent mode is not supported.

■ There can also be differences in support for VLANs, depending on the wirelessAP.Some dynamic VLAN switches may require you to configure the AP withmultiple service set identifiers (SSIDs). Each SSID is associated with a VLAN.See the documentation that comes with the dynamic VLAN switch.

Based on the wireless AP model that you use, you may want to use one of thefollowing access control options instead of a VLAN:

149Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleAbout configuring 802.1x wireless access points on a LAN Enforcer appliance

Some wireless APs, such as Aruba, support ACLs that enable thenetwork administrator to define policies for network trafficmanagement. You can use the generic option on the LAN Enforcerby selecting the vendor name of the wireless AP. As an alternative,you can select Others for the 802.1x-aware switch model (if not itis not listed).

The generic option sends a generic attribute tag with the VLAN IDor name in it to the access point. You can then customize the accesspoint. Now the access point can read the generic attribute tag forthe VLAN ID and match it with the WAP’s ACL ID. You can use theSwitch Action table as an ACL Action table.

Additional configuration on the wireless AP or AP controller maybe required. For example, you may need to map the RADIUS tagthat is sent to the wireless AP on the AP controller.

See the wireless AP documentation for details.

Access control lists(ACLs)

You can plug the wireless AP into a switch that supports MAC level802.1x. For this implementation, you must disable 802.1x on thewireless AP. You can only use it on the switch. The switch thenauthenticates the wireless clients by recognizing the new MACaddresses. After it authenticates a MAC address, it puts that MACaddress on the specified VLAN instead of the whole port. Every newMAC address has to be authenticated. This option is not as secure.However, this option enables you to use the VLAN switchingcapability.

MAC level 802.1x

Changing LAN Enforcer configuration settings on aSymantec Endpoint Protection Manager Console

You can change the LAN Enforcer configuration settings on a management server.The configuration settings are automatically downloaded from the managementserver to the LAN Enforcer appliance during the next heartbeat.

To change LAN Enforcer configuration settings on a Symantec Endpoint ProtectionManager Console



3 In the Admin page, under View Servers, select the group of Enforcers of whichthe LAN Enforcer appliance is a member.

The Enforcer group must include the LAN Enforcer whose configurationsettings need to be changed.

Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleChanging LAN Enforcer configuration settings on a Symantec Endpoint Protection Manager Console

150

4 In the Admin page, under View Servers, select the LAN Enforcer appliancewhose configuration settings need to be changed.



The LAN Enforcer Settings dialog box provides the following categories ofconfiguration settings:

This tab provides the following LAN Enforcer settings:

■ Group name for LAN Enforcer appliances

■ Listening port

■ Description for the LAN Enforcer appliance group

■ Selection of the management server list that the LAN Enforceruses


General


■ Name for the RADIUS Server group

■ Host name or IP address for the RADIUS Server

■ Port number for the RADIUS Server

■ Friendly name for the RADIUS Server

See “Using RADIUS server group settings” on page 156.

RADIUS ServerGroup


■ Enable the switch policy

■ The name of the switch policy

■ The switch model, selected from a list of supported switches

■ The shared secret

■ The RADIUS server group

■ The reauthentication timeout period

■ Whether the switch forwards other protocols besides EAP

■ Switch Address

■ The VLAN on the Switch

■ Action

See “Using switch settings” on page 163.

Switch

This tab provides the following advanced LAN Enforcer settings:

■ Enable local authentication

■ Allow legacy client

See “Using advanced LAN Enforcer appliance settings”on page 188.

Advanced

151Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleChanging LAN Enforcer configuration settings on a Symantec Endpoint Protection Manager Console

Settings for enabling logging of Server logs, Client Activity logs,and specifying log file parameters.




Log settings

Using general settingsYou can add or edit the description of a LAN Enforcer appliance or a LAN Enforcerappliance group in the Symantec Endpoint Protection Manager Console.

See “Adding or editing the description of an Enforcer group with a LAN Enforcer”on page 154.

See “Adding or editing the description of a LAN Enforcer” on page 154.

You must establish a Listen port that is used for communication between theVLAN switch and the LAN Enforcer appliance.

See “Specifying a listening port that is used for communication between a VLANswitch and a LAN Enforcer” on page 153.

However, you cannot add or edit the name of a LAN Enforcer appliance group inthe Symantec Endpoint Protection Manager Console. You cannot add or edit theIP address or host name of a LAN Enforcer appliance in the Symantec EndpointProtection Manager Console. Instead, you must perform these tasks on the Enforcerconsole.

See “Adding or editing the name of a LAN Enforcer appliance group with a LANEnforcer” on page 153.

However you can only change the IP address or host name of a LAN Enforcer onthe Enforcer console during the installation. If you later want to change the IPaddress or host name of a LAN Enforcer, you can do so on the LAN Enforcerconsole.

See “Adding or editing the IP address or host name of a LAN Enforcer” on page 154.

However, you can add or edit the IP address or host name of a Symantec EndpointProtection Manager in a management server list.

See “Connecting the LAN Enforcer to a Symantec Endpoint Protection Manager”on page 155.

Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing general settings

152

Adding or editing the name of a LAN Enforcer appliance group with aLAN Enforcer

You cannot add or edit the name of a LAN Enforcer appliance group of which aLAN Enforcer appliance is a member. You perform these tasks on the Enforcerconsole during the installation. If you later want to change the name of a LANEnforcer appliance group, you can do so on the Enforcer console.


Specifying a listening port that is used for communication between aVLAN switch and a LAN Enforcer

When you configure the settings for a LAN Enforcer you specify the followingListen ports:

■ The Listen port that is used for communication between the VLAN switch andthe LAN Enforcer.The VLAN switch sends the RADIUS packet to the UDP port.

■ The Listen Port that is used for communication between the LAN Enforcer anda RADIUS server.You specify this port when you specify a RADIUS server.

If the RADIUS server is installed on the management server, it should not beconfigured to use port 1812. The RADIUS servers are configured to use port 1812as the default setting. Because the management server also uses port 1812 tocommunicate with the LAN Enforcer, there is a conflict.

To specify a listening port that is used for communication between a VLAN switchand a LAN Enforcer



3 In the Admin page, under View Servers, select the Enforcer group.

4 In the Admin page, under View Servers, under Tasks, click Edit GroupProperties.

5 In the LAN Enforcer Settings dialog box, on the Basic Settings tab, type thenumber of the UDP port that you want to assign in the Listen port field.

The default setting for the port is 1812. The range extends from 1 through65535.

6 In the LAN Enforcer Settings dialog box, on the Basic Settings tab, click OK.

153Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing general settings

Adding or editing the description of an Enforcer group with a LANEnforcer

You can add or edit the description of an Enforcer group of which a SymantecLAN Enforcer appliance is a member. You can perform this task on the SymantecEndpoint Protection Manager Console instead of the LAN Enforcer console.

To add or edit the description of an Enforcer group with a LAN Enforcer



3 In the Admin page, under View Servers, select and expand the Enforcer groupwhose description you want to add or edit.


5 In the Settings dialog box, on the Basic Settings tab, add or edit a descriptionfor the Enforcer group in the Description field.


Adding or editing the IP address or host name of a LAN EnforcerYou can only change the IP address or host name of a LAN Enforcer on the Enforcerconsole during the installation. If you later want to change the IP address or hostname of a LAN Enforcer, you can do so on the LAN Enforcer console.

See the InstallationGuide forSymantecEndpointProtectionandSymantecNetworkAccess Control.

Adding or editing the description of a LAN EnforcerYou can add or edit the description of a LAN Enforcer. You can perform this taskon the Symantec Endpoint Protection Manager Console instead of the LAN Enforcerconsole. After you complete this task, the description appears in Description fieldof the Management Server pane.

To add or edit the description of a LAN Enforcer



3 In the Admin page, under View Servers, select and expand the Enforcer groupthat includes the LAN Enforcer whose description you want to add or edit.

4 In the Admin page, under View Servers, select the LAN Enforcer whosedescription you want to add or edit.

Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing general settings

154


6 In the Enforcer Properties dialog box, add or edit a description for the LANEnforcer in the Description field.

7 In the Enforcer Properties dialog box, click OK.

Connecting the LAN Enforcer to a Symantec Endpoint ProtectionManager

Enforcers must be able to connect to servers on which the Symantec EndpointProtection Manager is installed. The Symantec Endpoint Protection Managerincludes a file that helps manage the traffic between clients, Symantec EndpointProtection Managers, and optional Enforcers, such as a LAN Enforcer.

This file is called a management server list. The management server list specifiesto which Symantec Endpoint Protection Manager server a LAN Enforcer connects.It also specifies to which Symantec Endpoint Protection server a LAN Enforcerconnects in case of a management server's failure.


A default management server list includes the management server's IP addressesor host names to which LAN Enforcers can connect after the initial installation.You may want to create a custom management server list before you deploy anyEnforcers. If you create a custom management server list, you can specify thepriority in which a LAN Enforcer can connect to management servers.

If an administrator has created multiple management server lists, you can selectthe specific management server list that includes the IP addresses or host namesof those management servers to which you want the LAN Enforcer to connect. Ifthere is only one management server at a site, then you can select the defaultmanagement server list.

For more information on how to customize management server lists, see theAdministration Guide for Symantec Endpoint Protection and Symantec NetworkAccess Control.

To connect the LAN Enforcer to a Symantec Endpoint Protection Manager



155Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing general settings


The Enforcer group must include the LAN Enforcer for which you want tochange the management server list.


5 In the Settings dialog box, on the Basic Settings tab, under Communication,select the management server list that you want this LAN Enforcer to use.

6 In the Settings dialog box, on the General tab, under Communication, clickSelect.




Using RADIUS server group settingsYou can configure the LAN Enforcer to connect to one or more RADIUS servers.

You need to specify RADIUS servers as part of a RADIUS server group. Each groupcan contain one or more RADIUS servers. The purpose of a RADIUS server groupis for RADIUS servers to provide failover. If one RADIUS server in the RADIUSserver group becomes unavailable, the LAN Enforcer tries to connect with anotherRADIUS server that is part of the RADIUS server group.

You can add, edit, and delete the name of a RADIUS server group in the SymantecEndpoint Protection Manager Console.

See “Adding a RADIUS server group name and RADIUS server” on page 157.

See “Editing the name of a RADIUS server group” on page 158.

See “Deleting the name of a RADIUS server group” on page 162.

You can add, edit, and delete the name, host name, IP address, authentication portnumber, and the shared secret of a RADIUS server in the Symantec EndpointProtection Manager Console.

See “Adding a RADIUS server group name and RADIUS server” on page 157.

See “Editing the friendly name of a RADIUS server” on page 159.

See “Editing the host name or IP address of a RADIUS server” on page 160.

See “Editing the authentication port number of a RADIUS server” on page 160.

See “Editing the shared secret of a RADIUS server” on page 161.

Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing RADIUS server group settings

156

See “Deleting a RADIUS server” on page 162.

Adding a RADIUS server group name and RADIUS serverYou can add a RADIUS server group name and RADIUS server at the same time.

To add a RADIUS server group name and RADIUS server





5 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click Add.

The name of the RADIUS server group and the IP address of an existingRADIUS server appear in the table.

6 In the Add RADIUS Server Group dialog box, type the name of the RADIUSserver group in the Group text box.

The name of the RADIUS server group, the host name or IP address of anexisting RADIUS server, and the port number of the RADIUS server appearin the table.

7 In the Add RADIUS Server Group dialog box, click Add.

157Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing RADIUS server group settings

8 In the Add RADIUS Server dialog box, type the following:

Type a name that easily identifies thename of the RADIUS server when itappears on the list of servers for thatgroup.

In the field: Friendly name of RADIUSserver

Type the hostname or IP address of theRADIUS server.

In the field: Hostname or IP address

Type the network port on the RADIUSserver where the LAN Enforcer sends theauthentication packet from the client.

The default setting is UDP 1812.

In the field: Authentication port

Type the shared secret that is used forencrypted communication between theRADIUS server and the LAN Enforcer. Theshared secret between a RADIUS serverand a LAN Enforcer can be different fromthe shared secret between an802.1x-aware switch and a LAN Enforcer.The shared secret is case sensitive.

In the field: Shared secret

Type the shared secret again.In the field: Confirm shared secret

9 In the Add RADIUS Server dialog box, click OK.

The name, IP address, and port for the RADIUS server you added now appearin the RADIUS Server Group list in the Add RADIUS Server Group dialog box.

10 In the Add RADIUS Server Group dialog box, click OK.

11 In the LAN Enforcer Settings dialog box, click OK.

Editing the name of a RADIUS server groupYou can change the name of the RADIUS server group at any time if circumstanceschange.

To edit the name of a RADIUS server group



3 In the Admin page, under View Servers, select the Enforcer group of whichthe LAN Enforcer is a member.


158


5 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click the RADIUS server group whose name you want to change.

6 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click Edit.

7 In the Add RADIUS Server dialog box, edit the name of the RADIUS servergroup in the Group name field.


9 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click OK.

Editing the friendly name of a RADIUS serverYou can change the friendly name of the RADIUS server at any time ifcircumstances change.

To edit the friendly name of a RADIUS server





5 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click the RADIUS server group that includes the RADIUS server whose friendlyname you want to change.


7 In the Add a RADIUS Server dialog box, edit the friendly name of the RADIUSserver in the Friendly name of RADIUS server field.




Editing the host name or IP address of a RADIUS serverYou can change the host name or IP address of the RADIUS server at any time ifcircumstances change.

To edit the host name or IP address of a RADIUS server





5 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click the RADIUS server group that includes the RADIUS server whose hostname or IP address you want to change.


7 In the Add a RADIUS Server dialog box, edit the host name or IP address ofthe RADIUS server in the Hostname or IP Address field.



Editing the authentication port number of a RADIUS serverYou can change the authentication port number of the RADIUS server at any timeif circumstances change.

To edit the authentication port number of a RADIUS server





5 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click the RADIUS server group that includes the RADIUS server whoseauthentication port number you want to change.


160


7 In the Add a RADIUS Server dialog box, edit the authentication port numberof the RADIUS server in the Authentication port field.



Editing the shared secret of a RADIUS serverYou can change the shared secret of the RADIUS server at any time ifcircumstances change.

To edit the shared secret of a RADIUS server


In the Admin page, click Servers.



4 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click the RADIUS server group that includes the RADIUS server whose sharedsecret you want to change.


6 In the Add a RADIUS Server dialog box, edit the shared secret of the RADIUSserver in the Shared secret field.

The shared secret is used for encrypted communication between the RADIUSserver and the LAN Enforcer. The shared secret between a RADIUS serverand a LAN Enforcer can be different from the shared secret between an802.1x-aware switch and a LAN Enforcer. The shared secret is case sensitive.

7 In the Add a RADIUS Server dialog box, edit the shared secret of the RADIUSserver in the Confirm shared secret field.




Deleting the name of a RADIUS server groupYou can delete the name of the RADIUS server group at any time if circumstanceschange.

To delete the name of a RADIUS server group





4 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click the RADIUS server group whose name you want to delete.

5 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click Remove.


Deleting a RADIUS serverYou can delete a RADIUS server at any time if circumstances change.

To delete a RADIUS server





4 In the LAN Enforcer Settings dialog box, on the RADIUS Server Group tab,click the RADIUS server group of which the RADIUS server that you want todelete is a member.


6 In the Add RADIUS Server dialog box, click the RADIUS server that you wantto delete.

7 In the Add RADIUS Server dialog box, click Remove.


162



Using switch settingsYou configure a switch policy when you specify LAN Enforcer settings for switches.A switch policy is a collection of settings that is applied to a group of switches ofthe same manufacturer or model. The only information that you need to enterseparately for individual switches is the IP address of the switch.

About using switch settingsYou need to specify the following basic information before LAN Enforcerappliances, management servers, clients, and 802.1x-aware switches all worktogether:

■ A name of your choice for the switch policy

■ The switch manufacturer and modelYou select the switch model from a list of supported switches.

■ The encrypted password or shared secret

■ The RADIUS server group that is used

■ The reauthentication timeout period for the 802.1x-aware switchThe default setting is 30 seconds.

■ Whether the switch forwards other protocols besides EAPThe default setting is to forward other protocols.

See “Adding an 802.1x switch policy for a LAN Enforcer appliance with a wizard”on page 168.

See “Editing basic information about the switch policy and 802.1x-aware switch”on page 175.

You need to specify the set of 802.1x-aware switches to which the switch policyapplies as follows:

■ A friendly switch name of your choice

■ IP address, IP range, or subnet


See “Editing information about the 802.1x-aware switch” on page 180.

163Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing switch settings

You need to specify the following VLAN information:

■ VLAN ID

■ VLAN name

■ Optionally, you can specify the customized RADIUS attributes in hexadecimalformat.


See “Editing VLAN information for the switch policy” on page 182.

If an 802.1x-aware switch supports dynamic VLAN switching, you can specifythat the client must connect to a specific VLAN.

You need to specify the actions that the 802.1x-aware switch needs to take whencertain criteria are met:

■ Host authentication result: Pass, Fail, Unavailable, or Ignore Result

■ User authentication result: Pass, Fail, Unavailable, or Ignore Result

■ Policy Check result: Pass, Fail, Unavailable, or Ignore Result


About the support for attributes of switch modelsWhen you configure the LAN Enforcer appliance, you specify the model of the802.1x-aware switch. Different 802.1x-aware switches look for different attributesto determine which client can access the VLAN. Some switches identify VLANsby VLAN ID and others by VLAN Name. Some devices have limited or no VLANsupport.

The LAN Enforcer appliance forwards attributes from the RADIUS server to theswitch. If necessary, however, it modifies or appends the VLAN attribute basedon the switch type by using supported values. If a conflict exists between thevendor-specific attribute information that the RADIUS server sends and thevendor-specific VLAN attribute information that the LAN Enforcer uses, the LANEnforcer removes the vendor-specific information that the RADIUS server sends.The LAN Enforcer then replaces it that information with the information thatappears in the following table.

If you want to keep the attributes from the RADIUS server, you can select actioncalled Open Port. With this action, the LAN Enforcer forwards all attributes fromRADIUS server to the 802.1x-aware switch without any modifications.

Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing switch settings

164

The 802.1x-aware switch model can use VLAN ID or VLAN Name to performdynamic VLAN assignments. You must specify both the VLAN ID and VLAN namewhen you provide VLAN information for the LAN Enforcer, with the exception ofthe Aruba switch.

Table 8-1 describes the 802.1x-aware switch models and attributes.

Table 8-1 Support for attributes of switch models

CommentsAttributes added by LANEnforcer

Switch model

VLAN Name is used. Name is casesensitive.

The vendor code is 14179.

The vendor-assigned attributenumber is 5.

The attribute format is “string.”

Airespace WirelessController

VLAN ID is used.Vendor Specific (#26)

The vendor ID of Alcatel is 800.All “Vendor Specific” attributesfrom RADIUS with an ID of 800are removed in case of conflict.

Alcatel

Both VLAN name and VLAN IDcan be used. Alternately, you canuse only a VLAN name or only aVLAN ID.

A valid VLAN ID ranges from 1 to4094.

A VLAN name cannot exceed 64bytes.

Vendor Specific (#14823)

Vendor ID is 14823 for Aruba. TheAruba-User-Role attribute permitsyou to set up either VLAN IDs orVLAN names.

Aruba


Table 8-1 Support for attributes of switch models (continued)


Switch model

VLAN ID is used.Depends on whether you use SSIDaccess control.

RADIUS user attributes used forVLAN-ID assignment:

IETF 64 (Tunnel Type): Set thisattribute to “VLAN”

IETF 65 (Tunnel Medium Type):Set this attribute to “802”

IETF 81 (Tunnel Private Group ID):Set this attribute to VLAN-ID

RADIUS user attribute used forSSID access control:

Cisco IOS/PIX RADIUS Attribute,009\001 cisco-av-pair

Cisco AironetSeries

VLAN Name is used. Name is casesensitive.

Tunnel Type (#64)

Tunnel Medium Type (#65)

Tunnel Private Group ID (#81)

Tunnel Type is set to 13 (VLAN)

Tunnel Medium Type is set to 6(802 media)

Tunnel Private Group ID is set toVLAN name.

All attributes with these 3 typesfrom RADIUS server are removedin case of conflict. Also, anyattribute with type “VendorSpecific” and the vendor ID is 9(Cisco) are also removed.

Cisco CatalystSeries


166

Table 8-1 Support for attributes of switch models (continued)


Switch model

VLAN ID is used.Tunnel Type (#64)

Tunnel Medium Type (#65)

Tunnel Private Group ID (#81)

Tunnel Type is set to 13 (VLAN)

Tunnel Medium Type is set to 6(802 media)

Tunnel Private Group ID is set toVLAN ID.

All attributes with these threetypes from RADIUS server areremoved in case of conflict.

Foundry, HP,Nortel,

VLAN Name is used andrepresents “Role name” inEnterasys switch. The name iscase sensitive.

Filter ID (#11)

Filter ID is set to

Enterasys :

version=1:

mgmt=su:

policy=NAME

All “Filter ID” attributes fromRADIUS Server are removed incase of conflict.

Enterasys

VLAN Name is used. The name iscase sensitive.

Vendor Specific (#26)

Vendor ID is 1916 for Extreme.VLAN Name is added after theVendor ID. All vendor-specificattributes from RADIUS serverwith an ID of 1916 are removed incase of conflict.

Extreme


Adding an 802.1x switch policy for a LAN Enforcer appliance with awizard

You can add multiple 802.1x-aware switches for use with a LAN Enforcer applianceas part of a switch policy. You must enter the information that is needed toconfigure the LAN Enforcer appliance interaction with the switch.

To add an 802.1x switch policy for a LAN Enforcer appliance with a wizard





4 In the LAN Enforcer Settings dialog box, on the Switch tab, click Add.

5 In the Welcome to the Switch Policy Configuration Wizard panel of the SwitchPolicy Configuration Wizard, click Next.

6 In the Basic Information panel of the Switch Policy Configuration Wizard,complete the following tasks:

Type a name of your choice that identifies the switch policy.

For example, you can use the manufacturer name and modelas the name for the switch policy name.

Switch policy name


168

The LAN Enforcer uses the switch model to determine thevendor-specific RADIUS server attribute.

Select the following 802.1x-aware model from the list ofsupported switches:

■ Other

If your model is not listed, select Other to use as ageneric RADIUS server attribute.

■ 3Com

■ Alcatel switch

■ Cisco Catalyst Series

■ Enterasys Matix Series

■ Extreme Summit Series

■ Foundry Networks

■ HP Procurve Series

■ Nortel BayStack Series

■ Cisco Aironet Series

■ Aruba Switches

■ Airespace Wireless Controller

■ Nortel Wireless

■ Enterasys wireless controller

■ HuaWei switch

Note: If the administrator chooses transparent modeon the switch, the administrator must configure thepolicy to use transparent modeon the client, rather thanletting the user select.

Switch model

The shared secret that is used for communication betweenthe 802.1x-aware switch and the LAN Enforcer appliance.The encrypted password or shared secret is case sensitive.

Encrypted password orShared secret

You must type the encrypted password or shared secretagain.

Confirm encryptedpassword or sharedsecret

If you use the LAN Enforcer appliance with a RADIUS server,you must select the RADIUS server group from the availableRADIUS server group list.

RADIUS server group


Type the amount of time in seconds during which the clientmust be reauthenticated. Otherwise the client is removedfrom the list of connected clients on the LAN Enforcer.

You should set the reauthentication period to be at leastdouble the amount of time of the reauthentication intervalon the switch.

For example, if the reauthentication interval on the switchis 30 seconds, the LAN Enforcer appliance reauthenticationperiod should be at least 60 seconds. Otherwise the LANEnforcer appliance assumes that the client is timed out.Therefore the client does not release and renew its IPaddress.


Reauthentication period(seconds)

You can select to allow the LAN Enforcer appliance toforward the RADIUS packets that contain otherauthentication protocols besides EAP. Other protocolsinclude Challenge Handshake Authentication Protocol(CHAP) and PAP.


Forward protocolsbesides EAP

7 In the Basic Information panel of the Switch Policy Configuration Wizard,click Next.

8 In the Switch List panel of the Switch Policy Configuration Wizard, click Add.


170

9 In the Switch List panel of the Switch Policy Configuration Wizard, completethe following tasks:

In the Add Single Internal IP address dialog box, type afriendly name for the switch policy to identify the802.1x-aware switch into the Name field.

Name

In the Add Single Internal IP Address dialog box, click SingleIP address. Then type the IP address of the 802.1x-awareswitch in the IP Address field.

Single IP Address

In the Add Internal IP Address Range dialog box, click IPAddress Range. Type the beginning IP address for the802.1x-aware switch in the Starting IP Address field. Typethe ending IP address of the IP range for the 802.1x-awareswitch in the End IP field.

IP Address Range

In the Add Internal IP Address Subnet dialog box, clickSubnet. Type the IP address for the subnet in the IP addressfield and the subnet in the Subnet Mask field.

Subnet

When you specify a switch policy for a LAN Enforcer appliance, you canassociate the switch policy with one or more 802.1x-aware switches.

10 In the Add Internal IP address dialog box, click OK.

11 In the Switch List panel of the Switch Policy Configuration Wizard, click Next.

12 In the Switch VLAN Configuration panel of the Switch Policy ConfigurationWizard, click Add.


13 In the Add VLAN dialog box, complete the following tasks:

Type an integer that can range from 1 to 4094 in the VLANID field.

The VLAN ID must be the same as the one that is configuredon the 802.1x-aware switch except for the Aruba switch.

If you plan to add VLAN information about an Aruba switch,you may want to configure VLAN and role informationdifferently than you have for other 802.1x switches.

See “Configuring VLAN and role information on the802.1x-aware Aruba switch” on page 183.

VLAN ID

Type a name of the VLAN.

The name for the VLAN can be up to 64 characters. It is casesensitive.

The VLAN name must be the same as the one that isconfigured on the 802.1x-aware switch except for the Arubaswitch.

If you plan to add VLAN information about an Aruba switch,you may want to configure VLAN and role information thatis different from other 802.1x switches.

See “Configuring VLAN and role information on the802.1x-aware Aruba switch” on page 183.

VLAN Name

Check Send customized RADIUS attributes to switch ifyou want the LAN Enforcer to send a customized RADIUSattribute to the 802.1x-aware switch. An attribute can bean access control list (ACL).

See “About the support for attributes of switch models”on page 164.

Send customizedRADIUS attributes toswitch

Type the RADIUS attribute in hex format.

The length must be even.

Customized attributesin hex format

When you specify a switch policy for a LAN Enforcer, you use the VLAN tabto add the VLAN information for each VLAN that is configured on the switch.You want the switch policy to be available for use by the LAN Enforcer as anaction. It is recommended that you specify at least one remediation VLAN.

14 In the Add VLAN dialog box, click OK.

15 In the Switch VLAN Configuration panel of the Switch Policy ConfigurationWizard, click Next.


172

16 In the Switch Action Configuration panel of the Switch Policy ConfigurationWizard, click Add.

17 In the Add Switch Action dialog box, complete the following tasks:

Click any of the following conditions:

■ Passed

■ Failed

■ Unavailable

■ Ignore Result

A typical situation in which a Host Integrity check becomesunavailable would be the result of a client not running. Ifyou set Host Authentication to Unavailable, you must alsoset Policy Check to Unavailable.

Host Authentication


■ Passed

The client has passed user authentication.

■ Failed

The client has not passed user authentication.

■ Unavailable

The user authentication result is always unavailable ifuser authentication is not performed in transparentmode. If you use the LAN Enforcer in transparent mode,you must create an action for the Unavailable condition.

If you use the basic configuration, you may also want toconfigure an action for the user authentication as anerror condition. For example, an 802.1x supplicant usesan incorrect user authentication method or the RADIUSserver fails in the middle of the authenticationtransaction.

The user authentication's Unavailable condition mayalso occur on some RADIUS servers if the user namedoes not exist in the RADIUS database. For example, thisproblem may occur with Microsoft IAS. Therefore youmay want to test the condition of a missing user namewith your RADIUS server. You may want to see whetherit matches the Failed or Unavailable user authenticationconditions.

■ Ignore Result

A typical situation in which a Host Integrity check becomesunavailable would be the result of a client not running. Ifyou set Policy Check to Unavailable, you must also set HostAuthentication to Unavailable.

User Authentication



■ Passed

The client has passed the Policy Check.

■ Failed

The client has not passed the Policy Check.

■ Unavailable

The Unavailable result for the policy may occur underthe following conditions:

■ If the client has an invalid identifier, then the LANEnforcer cannot obtain any policy information fromthe management server. This problem can occur ifthe management server that deployed the clientpolicy is no longer available.

■ If the client is first exported and installed before itconnects to the management server and receives itspolicy.

■ Ignore Result

Policy Check

You can select the following actions that the 802.1x-awareswitch performs when the conditions are met:

■ Open Port

The 802.1x-aware switch allows network access on thedefault VLAN to which the port is normally assigned. Italso allows network access on the VLAN that is specifiedin an attribute that is sent from the RADIUS server.Therefore the support of users having VLAN access isbased on user ID and user role.

The default action is Open Port.

■ Switch to VLAN-test

Allows access to the specified VLAN. The VLANs thatare available to select are the ones that you configuredpreviously.

■ Close Port

Deny network access on the default or RADIUS-specifiedVLAN. On some switch models, depending on the switchconfiguration, the port is assigned to a guest VLAN.

For the Aruba switch, you can restrict access according toa specified role as well as a specified VLAN. The restrictionsdepend on how you configured the VLAN information forthe switch policy.

Action

18 In the Add Switch Action dialog box, click OK.


174

19 In the Switch Action Configuration panel of the Switch Policy ConfigurationWizard, in the Switch Action table, click the switch action policy whosepriority you want to change.

The LAN Enforcer checks the authentication results against the entries inthe switch action table in the order from top to bottom of the table. After itfinds a matching set of conditions, it instructs the 802.1x-aware switch toapply that action. You can change the sequence in which actions are appliedby changing the order in which they are listed in the table.

20 In the Switch Action Configuration panel of the Switch Policy ConfigurationWizard, click Move Up or Move Down.

21 In the Switch Action Configuration panel of the Switch Policy ConfigurationWizard, click Next.

22 In the Complete the Switch Policy Configuration panel of the Switch PolicyConfiguration Wizard, click Finish.

Editing basic information about the switch policy and 802.1x-awareswitch

You can change the following parameters about the switch policy and the802.1x-aware switch:

■ Switch policy nameSee “Editing the name of a switch policy” on page 175.

■ Switch modelSee “Selecting a different switch model for the switch policy” on page 176.

■ Shared secretSee “Editing an encrypted password or shared secret” on page 177.

■ RADIUS server groupSee “Selecting a different RADIUS server group” on page 178.

■ Reauthentication time periodSee “Editing the reauthentication period” on page 179.

■ Forwarding protocols besides EAPSee “Enabling protocols other than EAP” on page 179.

Editing the name of a switch policyYou can edit the name of the switch policy at any time if circumstances change.


To edit the name of a switch policy





4 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click the switch policy that you want to change.

5 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click Edit.

6 In the Edit Switch Policy for name of switch policy dialog box, on the BasicInformation tab, edit the name of the switch policy in the Switch policy namefield.

7 In the Edit Switch Policy for name of switch policy dialog box, on the BasicInformation tab, click OK.

8 In the LAN Enforcer Settings dialog box, on the Switch tab, click OK.

Selecting a different switch model for the switch policyYou can select a different switch model for the switch policy at any time ifcircumstances change.

To select a different switch model for the switch policy





4 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click the switch policy whose switch mode you want to change.


6 In the Edit Switch Policy for name of switch policy dialog box, on the BasicInformation tab, select a different switch model from the following Switchmodel list:

■ Other


176

If your model is not listed, select Other to use as a generic RADIUS serverattribute.

■ 3Com

■ Alcatel switch

■ Cisco Catalyst Series

■ Enterasys Matix Series

■ Extreme Summit Series


■ HP Procurve Series

■ Nortel BayStack Series

■ Cisco Aironet Series

■ Aruba Switches

■ Airespace Wireless Controller

■ Nortel Wireless

■ Enterasys wireless controller

■ HuaWei switchIf the administrator chooses transparent mode on the HuaWei switch, theadministrator must configure the policy to use transparent modeon theclient, rather than letting the user select.



Editing an encrypted password or shared secretYou can edit the shared secret at any time if circumstances change.

To edit an encrypted password or shared secret






4 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click the switch policy whose shared secret you want to change.


6 In the Edit Switch Policy for name of switch policy dialog box, on the BasicInformation tab, edit the name of the shared secret in the Shared secret field.

7 In the Edit Switch Policy for name of switch policy dialog box, on the BasicInformation tab, edit the name of the shared secret in the Confirm sharedsecret field.



Selecting a different RADIUS server groupYou can select a different RADIUS server group at any time if circumstanceschange.

To select a different RADIUS server group





4 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click the switch policy whose shared secret you want to change.


6 In the Edit Switch Policy for name of switch policy dialog box, on the BasicInformation tab, select a different RADIUS server group from the RADIUSserver group list.

You must have added more than one RADIUS server group before you canselect a different RADIUS server group.




178

Editing the reauthentication periodYou can edit the reauthentication period at any time if circumstances change.

You must specify the amount of time in seconds during which the client must bereauthenticated. Otherwise the client is removed from the list of connected clientsand disconnected from the network.

You should set the reauthentication period to be at least double the amount oftime of the reauthentication interval on the switch.

For example, if the reauthentication interval on the switch is 30 seconds, the LANEnforcer reauthentication period should be at least 60 seconds. Otherwise theLAN Enforcer assumes that the client is timed out. Therefore the client does notrelease and renew its IP address.


To edit the reauthentication period




3 Click Edit Group Properties.


5 On the Switch tab in the Switch Policy table, click Edit.

6 In the Edit Switch Policy for name of switch policy dialog box, on the BasicInformation tab, edit the reauthentication period in the Reauthenticationperiod in seconds field.

7 Click OK.


Enabling protocols other than EAPYou can select to allow the LAN Enforcer to forward the RADIUS packets thatcontain other authentication protocols besides EAP.

Other protocols include:

■ Challenge Handshake Authentication Protocol (CHAP)

■ PAP



To enable protocols other than EAP




3 Click Edit Group Properties.



6 In the Edit Switch Policy for name of switch policy dialog box, on the BasicInformation tab, check Enable protocols besides EAP.

You can have the following protocols forwarded:

■ Challenge Handshake Authentication Protocol (CHAP)

■ PAP

7 Click OK.


Editing information about the 802.1x-aware switchYou can change the following parameters about the 802.1x-aware switch:

■ Change of IP address, host name, or subnet for an 802.1x-aware switchSee “Editing the IP address, host name, or subnet of an 802.1x-aware switch”on page 180.

■ Removal of an 802.1x-aware switch from switch listSee “Deleting an 802.1x-aware switch from the switch list” on page 181.

Editing the IP address, host name, or subnet of an802.1x-awareswitchYou can change the IP address, hostname, or subnet of an 802.1x-aware switchat any time if circumstances require it.

To edit the IP address, hostname, and subnet of an 802.1x-aware switch





180

3 Under Tasks, click Edit Group Properties.


5 Click Edit.

6 In the Edit Switch Policy for name of switch policy dialog box, on the SwitchAddress tab, check Edit All.

7 In the Edit IP Addresses dialog box, add or edit IP addresses, host, names, orsubnets for the 802.1x-aware switch.

The format of the text is as follows:

name: addressSingle IP Address

name: start address-end addressIP Range

name: start address/subnet maskSubnet

8 In the Edit Switch Policy for name of switch policy dialog box, on the SwitchAddress tab, click OK.


Deleting an 802.1x-aware switch from the switch listYou can delete an 802.1x-aware switch from the switch list at any time ifcircumstances require it.

To delete an 802.1x-aware switch



2 Under View Servers, select the Enforcer group.


4 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click the 802.1x-aware switch that you want to delete from theswitch list.

5 In the LAN Enforcer Settings dialog box, on the Switch tab, click Remove.

6 Click OK.


Editing VLAN information for the switch policyYou can change the following parameters about VLANs on the 802.1x-awareswitch:

■ Change the VLAN ID and VLAN name of an 802.1x-aware switchSee “Editing the VLAN ID and VLAN name of an 802.1x-aware switch”on page 182.

■ Configure VLAN and role information on the 802.1x-aware Aruba switchSee “Configuring VLAN and role information on the 802.1x-aware Arubaswitch” on page 183.

■ Removal of VLANs on an 802.1x-aware switchSee “Deleting the VLANs on an 802.1x-aware switch” on page 183.

Editing theVLAN IDandVLANnameof an802.1x-aware switchYou can change the VLAN ID and VLAN name of an 802.1x-aware switch at anytime if circumstances require it.

Some switches, such as the Cisco switch, have a guest VLAN feature. The guestVLAN is normally used if EAP user authentication fails. If EAP authenticationfails, the switch connects the client to the guest VLAN automatically.

If you use the LAN Enforcer for VLAN switching, it is recommended that you donot use the reserved guest VLAN when you set up VLANs and actions on the LANEnforcer. Otherwise the 802.1x supplicant may respond as if EAP authenticationfailed.

When setting up VLANs, make sure that all of them can communicate with themanagement server.

To edit the VLAN ID and VLAN name of an 802.1x-aware switch





4 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click the switch policy whose VLAN information you want tochange.

5 Click Edit.

6 In the Edit Switch Policy for name of switch policy dialog box, on the SwitchAddress tab, select the VLAN that you want to edit.


182

7 On the VLAN tab, check Edit.

8 In the Edit VLAN dialog box, edit the VLAN ID in the VLAN ID field.

9 Edit the VLAN name in the VLAN name field.

If you plan to edit VLAN information about an Aruba switch, you may wantto configure VLAN and role information somewhat differently than you havefor other 802.1x switches.

See “Configuring VLAN and role information on the 802.1x-aware Arubaswitch” on page 183.

10 In the Edit Switch Policy for name of switch policy dialog box, on the VLANtab, click OK.


Deleting the VLANs on an 802.1x-aware switchYou can delete the VLANs on an 802.1x-aware switch at any time if circumstancesrequire it.

To delete the VLANs on an 802.1x-aware switch





4 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click the switch policy whose VLAN information you want todelete.

5 Click Edit.

6 In the Edit Switch Policy for name of switch policy dialog box, on the SwitchAddress tab, select the VLAN that you want to delete.

7 On the VLAN tab, check Remove.

8 Click OK.


Configuring VLAN and role information on the 802.1x-awareAruba switchIf you use an Aruba switch, you can leave the VLAN ID or the VLAN name fieldblank. However, for other switches, you must enter information in both fields.


For the Aruba switch, you can use these fields to specify either a VLAN or a roleor both as follows:

■ To specify a VLAN, enter the VLAN ID in the VLAN ID field.

■ To specify a role, enter the role name in the VLAN name field.

For the Aruba switch you can also use this dialog box to set up separate switchactions for multiple roles on one VLAN or multiple VLANS for one role.

To configure VLAN and role information on the 802.1x-aware Aruba switch

1 If you had a VLAN ID 1 with role A and role B, fill in the VLAN ID as 1 andthe VLAN name as A. Click OK.

2 Click Add again. In the Add VLAN dialog box, fill in the VLAN ID as 1 and theVLAN name as B and click OK.

Two separate choices become available for configuration on the switch actiontable.

Editing action information for the switch policyYou can change the following parameters about VLANs on the 802.1x-awareswitch:

■ Set the order of condition checkingSee “Setting the order of condition checking” on page 185.

■ Select a different Host Authentication, User Authentication, or Policy CheckconditionSee “Selecting a different Host Authentication, User Authentication, or PolicyCheck condition” on page 186.

■ Select different actionsSee “Selecting different actions” on page 187.

About issues with the switch policy, associated conditions,and actionsWhen configuring switch policies, keep the following issues in mind:

■ The Switch Action table must contain at least one entry.

■ If you do not select an action for a particular combination of results, the defaultaction, Open Port, is performed.

■ To specify a default action for any possible combination of results, select IgnoreResult for all three results.


184

■ When you add the actions to the table, you can edit any cell by clicking on theright corner of a column and row to display a drop-down list.

■ Some switches, such as the Cisco switch, have a guest VLAN feature. The guestVLAN is normally intended to be used if user authentication fails. In otherwords, if user authentication fails, the switch connects the client to the guestVLAN automatically.If you use the LAN Enforcer for VLAN switching, it is recommended that youdo not use the reserved guest VLAN when setting up VLANs and actions onthe LAN Enforcer. Otherwise the 802.1x supplicant may respond as thoughuser authentication failed.

■ If you deploy clients and are not ready to implement the full capabilities ofthe LAN Enforcer, you can specify an action of allowing access to the internalnetwork that is based on the condition Ignore Result for the Host Integritycheck and Policy Check. If you want to disregard the user authentication resultsand allow network access regardless of the results, you can do so with thecondition Ignore Result for User Authentication results.

Setting the order of condition checkingYou can change a different Host Authentication, User Authentication, or PolicyCheck condition for a switch policy at any time if circumstances require it.

You can add an entry to the Switch Action table for each of the possiblecombinations of authentication results.

When you set up the conditions to check for, remember that the only circumstancein which all three results can be Pass or Fail is in the basic configuration. In thebasic configuration, the client runs both an 802.1x supplicant that providesinformation about user authentication and a client that provides informationabout Host Integrity and the Policy Serial Number.

If you run only an 802.1x supplicant without a client, the results for the HostIntegrity check and Policy Check are always unavailable. If you run in transparentmode without a user authentication check, the user authentication result is alwaysUnavailable.

The LAN Enforcer checks the authentication results against the entries in thetable in the order from top to bottom of the table. After the LAN Enforcer finds amatching set of conditions, it instructs the 802.1x-aware switch to apply thataction. You can change the sequence in which actions are applied by changingthe order in which they are listed in the table.

If a LAN Enforcer cannot locate any entry that matches the current condition, aCLOSE PORT action is taken.


To set the order of condition checking





4 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click the switch policy whose order of conditions checking youwant to change.

5 Click Edit.

6 In the Edit Switch Policy for name of switch policy dialog box, on the Actiontab, select the switch policy whose order of conditions checking you want tochange.

7 Click Move Up or Move Down.

8 Click OK.


Selecting a differentHost Authentication, User Authentication,or Policy Check conditionYou can select a different Host Authentication, User Authentication, or PolicyCheck condition for a switch policy at any time if circumstances require it.

To select a different Host Authentication, User Authentication, or Policy Checkcondition





4 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click the switch policy whose authentication conditions you wantto change.

5 Click Edit.

6 In the Edit Switch Policy for name of switch policy dialog box, on the Actiontab, click any of the authentication conditions that you want to change in anyof the following columns:

■ Host authentication


186

■ User authentication

■ Policy check

7 Select any of the following actions that the 802.1x-aware switch needs to takewhen certain criteria are met:

■ Host authentication result: Pass, Fail, Unavailable, or Ignore Result

■ User authentication result: Pass, Fail, Unavailable, or Ignore Result

■ Policy Check result: Pass, Fail, Unavailable, or Ignore Result

8 Click OK.


Selecting different actionsTo select a different Host Authentication, User Authentication, or Policy Checkcondition





4 In the LAN Enforcer Settings dialog box, on the Switch tab in the SwitchPolicy table, click the switch policy whose actions you want to change.

5 Click Edit.

6 On the Action tab, click any of the actions that you want to change in theAction column.

7 Select any of the following actions that the 802.1x-aware switch needs to takewhen certain criteria are met:

■ Open PortThe 802.1x-aware switch allows network access on the default VLAN towhich the port is normally assigned. It also allows network access on theVLAN that is specified in an attribute that is sent from the RADIUS server.Therefore the support of users having VLAN access is based on user IDand user role.The default action is Open Port.

■ Switch to VLAN-testAllows access to the specified VLAN. the VLANs that are available to selectare the ones that you configured previously.


■ Close PortDeny network access on the default or RADIUS-specified VLAN. On someswitch models, depending on the switch configuration, the port is assignedto a guest VLAN.

8 Click OK.


Using advanced LAN Enforcer appliance settingsYou can configure the following advanced LAN Enforcer appliance configurationsettings:

■ Allow a legacy client.See “Allowing a legacy client to connect to the network with a LAN Enforcerappliance” on page 188.

■ Enable local authentication.See “Enabling local authentication on the LAN Enforcer appliance” on page 189.

Allowing a legacy client to connect to the network with a LAN Enforcerappliance

You can enable a LAN Enforcer appliance to connect to 5.1.x legacy clients. If yournetwork supports an 11.0.2 Symantec Endpoint Protection Manager, a SymantecLAN Enforcer appliance, and needs to support 5.1.x legacy clients, you can enablethe support of 5.1.x legacy clients on the management server console so that theSymantec LAN Enforcer appliance does not block them.

To allow a legacy client to connect to the network with a LAN Enforcer appliance



3 In the Admin page, under View Servers, select and expand the group of LANEnforcers appliances.



6 Click OK.

Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing advanced LAN Enforcer appliance settings

188

Enabling local authentication on the LAN Enforcer applianceIf a LAN Enforcer appliance loses its connection with the computer on which theSymantec Endpoint Protection Manager is installed, the LAN Enforcer appliancecan authenticate a client locally.

To enable local authentication on the LAN Enforcer appliance



3 Under View Servers, select and expand the group of LAN Enforcer appliances.

4 Select the LAN Enforcer appliance group for which you want to enable localauthentication.


6 In the LAN Settings dialog box, on the Advanced tab, check Enable LocalAuthentication.

7 Click OK.

Using 802.1x authenticationIf your corporate network uses a LAN Enforcer for authentication, you mustconfigure the client computer to perform IEEE 802.1x authentication.

The 802.1x authentication process includes the following steps:

■ An unauthenticated client or third-party supplicant sends the user informationand compliance information to a managed 802.11 network switch.

■ The network switch relays the information to the LAN Enforcer appliance.The LAN Enforcer appliance sends the user information to the authenticationserver for authentication. The RADIUS server is the authentication server.

■ If the client fails the user-level authentication or is not in compliance with theHost Integrity policy, the Enforcer may block network access. The LAN Enforcerappliance places the non-compliant client computer in network according tothe Switch Action table where the computer can be remediated.

■ After the client remediates the computer and brings it into compliance, the802.1x protocol reauthenticates the computer and grants the computer accessto the network.

To work with the LAN Enforcer appliance, the client can use either a third-partysupplicant or a built-in supplicant.

Table 8-2 describes the types of options that you can configure for 802.1xauthentication.

189Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing 802.1x authentication

Table 8-2 802.1x authentication options

DescriptionOption

Uses a third-party 802.1x supplicant.

The LAN Enforcer appliance works with a RADIUS server andthird-party 802.1x supplicants to perform user authentication. The802.1x supplicant prompts users for user information, which the LANEnforcer passes to the RADIUS server for user-level authentication.The client sends the client profile and the Host Integrity status to theLAN Enforcer appliance so that it authenticates the computer.

Note: If you want to use the Symantec Network Access Control clientwith a third-party supplicant, then you must install the NetworkThreat Protection module of the Symantec Network Access Controlclient.

To use a third-party 802.1x supplicant, you must:

■ Configure the 802.1x switch to use the LAN Enforcer appliance asthe RADIUS server so that the switch forwards authenticationpackets to the LAN Enforcer appliance.

■ Add the LAN Enforcer appliance as a client of the RADIUS serverso that it accepts requests from the LAN Enforcer appliance.

■ In the console, you must specify the RADIUS server informationand enable 802.1x authentication for the clients.

Third-partysupplicant

Uses the client to run as an 802.1x supplicant.

You use this method if you do not want to use a RADIUS server toperform user authentication. The LAN Enforcer appliance runs intransparent mode and acts as a pseudo-RADIUS server.

Transparent mode means that the supplicant does not prompt usersfor user information. In transparent mode, the client acts as the 802.1xsupplicant. The client responds to the switch’s EAP challenge withthe client profile and the Host Integrity status. The switch, in turn,forwards the information to the LAN Enforcer appliance, which actsas a pseudo-RADIUS server. The LAN Enforcer appliance validatesthe Host Integrity and client profile information from the switch andcan allow, block, or dynamically assign a VLAN, as appropriate.

Note: To use a client as an 802.1x supplicant, you must uninstall ordisable third-party 802.1x supplicants on the client computer.

In transparent mode, you can leave the RADIUS server informationempty on the LAN Enforcer Settings dialog box. The RADIUS serverIP address is therefore set to 0 and no traditional EAP userauthentication takes place.

Transparent mode

Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing 802.1x authentication

190

Table 8-2 802.1x authentication options (continued)

DescriptionOption

Uses the client computer's built-in 802.1x supplicant.

The built-in authentication protocols include Smart Card, PEAP, orTLS. After you enable 802.1x authentication, you or the users mustspecify which authentication protocol to use.

Built-in supplicant

Warning:You must know whether your corporate network uses the RADIUS serveras the authentication server. If you configure 802.1x authentication incorrectly,the connection to the network may break.

Note: To enable the user to configure 802.1x authentication on the client, youmust set the client to client control.

To configure the client to use either transparent mode or a built-in supplicant

1 In the console, click Clients.

2 Under View Clients, select the group of the clients that you want to perform802.1x authentication.

3 On the Policies tab, under Settings, click General Settings.

4 On the Security Settings tab, check Enable 802.1x authentication.

5 Check Use the client as an 802.1x supplicant.

6 Do one of the following actions:

■ To select transparent mode, select Use Symantec Transparent Mode.

■ To enable the user to configure a built-in supplicant, select Allows userto select the authentication protocol.Users can choose the authentication protocol for their network connection.

7 Click OK.

To configure the client to use a third-party supplicant

1 In the console, click Clients.

2 Under View Clients, select the group of the clients that you want to perform802.1x authentication.


191Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing 802.1x authentication

4 On the Security Settings tab, check Enable 802.1x authentication.

5 Click OK.

You can configure the client to use the built-in supplicant. You enable theclient for both 802.1x authentication and as an 802.1x supplicant.

About reauthentication on the client computerIf the client computer passed the Host Integrity check but the Enforcer blocks thecomputer, users may need to reauthenticate their computers. Under normalcircumstances, users should never need to reauthenticate the computer.

The Enforcer may block the computer when one of the following events haveoccurred:

■ The client computer failed the user authentication because users typed theiruser name or their password incorrectly.

■ The client computer is in the wrong VLAN.

■ The client computer does not obtain a network connection. A broken networkconnection usually happens because the switch between the client computerand the LAN Enforcer did not authenticate the user name and password.

■ Users need to log on to a client computer that authenticated a previous user.

■ The client computer failed the compliance check.

Users can reauthenticate the computer only if you configured the computer witha built-in supplicant. The right-click menu on the notification area icon of theclient computer displays a Reauthentication command.

Configuring the Symantec LAN Enforcer appliance on the Symantec Endpoint Protection Manager ConsoleUsing 802.1x authentication

192

Setting up temporaryconnections for SymantecNetwork Access ControlOn-Demand clients


■ About setting up temporary connections for Symantec Network Access ControlOn-Demand Clients

■ Setting up authentication on the Gateway or DHCP Enforcer console forSymantec Network Access Control On-Demand clients

■ Editing the banner on the Welcome page

■ Troubleshooting the connection between the Enforcer and the On-Demandclients

About settingup temporary connections forSymantecNetwork Access Control On-Demand Clients

End users often need to temporarily connect to an enterprise network even thoughtheir computers do not have the approved software. If an enterprise networkincludes a Gateway or a DHCP Enforcer appliance, an administrator can configurethe appliance to allow noncompliant client computers to temporarily connect toan enterprise network as a guest.

9Chapter

The administrator can configure a Gateway or DHCP Enforcer appliance toautomatically download Symantec Network Access Control On-Demand clientson both Windows and Macintosh platforms. As soon as the Symantec NetworkAccess Control On-Demand client is downloaded to a client computer, the clientcan try to connect to the company's network.

If the client computer meets all requirements, a connection between the clientcomputer and the Symantec Endpoint Protection Manager is automaticallyestablished. Therefore the compliant client computer can perform any task thatthe administrator enabled for this group on the Symantec Endpoint ProtectionManager.

If the client computer cannot meet all requirements, a connection between theclient computer and the Symantec Endpoint Protection Manager cannot beautomatically established. The end user needs to resolve all noncompliantrequirements on the client computer.

Before you configure Symantec Network Access Control On-Demandclients on the console of a Gateway or DHCP Enforcer

Before you can set up the automatic downloading of the Symantec Network AccessControl On-Demand clients for Windows and Macintosh, you must have alreadycompleted the following tasks:

■ Installed the Symantec Network Access Control software that is located onthe second CD-ROM called CD2. This software includes the Symantec EndpointProtection Manager software that you must install. If you accidentally installthe Symantec Endpoint Protection software that is located on the first CD-ROMcalled CD1, the Symantec Endpoint Protection Manager software cannot installall of the required components.See the Installation Guide for Symantec Endpoint Protection and SymantecNetwork Access Control.

■ Written down the name of the encrypted password that you implementedduring the installation of the Network Access Control software.See the Installation Guide for Symantec Endpoint Protection and SymantecNetwork Access Control.

■ Installed and configured a Gateway or DHCP Enforcer appliance.When you install and configure an Enforcer appliance for the first time, itassigns a name to the Enforcer group during the installation process. You mustplan the assignment of IP addresses, host names, as well as the configurationof the network interface cards (NICs). If the NICs are incorrectly configured,then the installation fails or behaves in unexpected ways.See “Before you install the Enforcer appliance” on page 71.

Setting up temporary connections for Symantec Network Access Control On-Demand clientsAbout setting up temporary connections for Symantec Network Access Control On-Demand Clients

194

The name of the Enforcer group automatically appears on the console of theSymantec Endpoint Protection Manager in the Server pane that is associatedwith each Enforcer appliance.See theAdministrationGuide for Symantec Endpoint Protection and SymantecNetwork Access Control.

■ Checked the connection status between the Enforcer appliance and theSymantec Endpoint Protection Manager server on the console of the Enforcerappliance.See “Checking the communication status of an Enforcer appliance on theEnforcer console” on page 85.See “Show” on page 236.

■ Enabled an HTTP redirect or DNS spoofing on the console of the SymantecEndpoint Protection Manager.The HTTP redirect or DNS spoofing is the IP address of the internal NIC (eth1)that is located on a Gateway or DHCP Enforcer appliance.For HTTP redirect, you add the URL in the Admin page on the SymantecEndpoint Protection Manager. After you display the Admin page, you mustdisplay the Servers pane and select the Enforcer group under View Servers. Ifyou select the Enforcer group of which the Gateway or DHCP Enforcer is amember, click Edit Group Properties under Tasks. In the Enforcer Settingsdialog box, you select the Authentication tab and type the URL in the HTTPredirect URL field.For example, you can type http://10.127.33.190 for DNS spoofing, Youaccomplish this objective by having the DHCP Enforcer appliance modify therelevant DHCP messages that are sent to a client. The DHCP Enforcer appliancereplaces the IP address of the DNS server in the DHCP message with the DHCPEnforcer appliance’s external IP address. Therefore the DHCP Enforcerappliance acts as a DNS server to the clients and thus prevents DNS spoofing.See theAdministrationGuide for Symantec Endpoint Protection and SymantecNetwork Access Control.

■ You must create the client group as a subgroup of the My Company group withFull Access rights.You add the client group on the Clients page as a subgroup of the My Companygroup on the Symantec Endpoint Protection Manager.Make sure that you right down the name of the Enforcer client group thatmanages Symantec Network Access Control On-Demand clients. If you do notcreate a separate group, then the Default group on the Symantec EndpointProtection Manager takes over the management of the Symantec NetworkAccess Control On-Demand clients.See theAdministrationGuide for Symantec Endpoint Protection and SymantecNetwork Access Control.

195Setting up temporary connections for Symantec Network Access Control On-Demand clientsAbout setting up temporary connections for Symantec Network Access Control On-Demand Clients

■ Created an optional separate location for an Enforcer client group on theSymantec Endpoint Protection Manager Console.If you do not create a separate location for the group that manages theSymantec Network Access Control On-Demand or guest clients, then the defaultlocation is automatically assigned to the guest clients. It is recommended thatyou create a separate location for the Enforcer client group on the SymantecEndpoint Protection Manager.Location criteria help you define the criteria that can identify SymantecNetwork Access Control On-Demand or guest clients by its IP address, MACaddress, host name, or other criteria. It is recommended that you create aseparate location to which all Symantec Network Access Control On-Demandor guest clients are automatically assigned if they want to connect to a networkon a temporary basis without the correct credential.You can add and assign a location to the Enforcer client group in the Clientspage, under Tasks, on the Symantec Endpoint Protection Manager.See theAdministrationGuide for Symantec Endpoint Protection and SymantecNetwork Access Control.

■ Added and assigned an optional Host Integrity Policy to the Enforcer clientgroup and location on the Symantec Endpoint Protection Manager Console.Although it is optional to add and assign a Host Integrity Policy to the Enforcerclient group and location on the console of a Symantec Endpoint ProtectionManager, it is recommended that you specify the following criteria:

■ How frequently a host integrity check is run

■ Type of Host Integrity policy that you want to implement

You can add and assign an optional Host Integrity Policy to an Enforcer clientgroup and location in the Policies page, under Tasks, on the Symantec EndpointProtection Manager.See theAdministrationGuide for Symantec Endpoint Protection and SymantecNetwork Access Control.

■ Enabled an optional pop-up message on the Symantec Endpoint ProtectionManager Console.See theAdministrationGuide for Symantec Endpoint Protection and SymantecNetwork Access Control.

■ Obtain the domain ID number that is located on the Symantec EndpointProtection Manager Console.See theAdministrationGuide for Symantec Endpoint Protection and SymantecNetwork Access Control.It is recommended that you have the domain ID handy because you may needto configure the domain ID on the Gateway or DCHP Enforcer with theon-demand spm-domain command.


196

See “Enabling Symantec Network Access Control On-Demand clients totemporarily connect to a network ” on page 197.

Enabling Symantec Network Access Control On-Demand clients totemporarily connect to a network

If you want to enable the automatic downloading of a Symantec Network AccessControl On-Demand client on a client computer on the Windows and Macintoshplatforms, you must have already completed a number of configuration tasks.

See “Before you configure Symantec Network Access Control On-Demand clientson the console of a Gateway or DHCP Enforcer” on page 194.

You need to configure the following commands before you can enable SymantecNetwork Access Control On-Demand clients to connect to a network:

■ Execute the spm-domain command.

■ Execute the client-group command.

■ Execute the enable command.

■ Execute the authentication enable command. This command is optional.

See “To enable Symantec Network Access Control On-Demand clients totemporarily connect to a network ” on page 197.

To enable Symantec Network Access Control On-Demand clients to temporarilyconnect to a network

1 Log on to the Gateway or DHCP Enforcer appliance console as a superuser.


2 On the console of a Gateway or DHCP Enforcer appliance, type the followingcommand:

Enforcer #on-demand

3 Type the following command:

Enforcer (on-demand)# spm-domain

where:

spm-domain represents a string that is displayed in the Enforcerautomatically.

See “Before you configure Symantec Network Access Control On-Demandclients on the console of a Gateway or DHCP Enforcer” on page 194.

197Setting up temporary connections for Symantec Network Access Control On-Demand clientsAbout setting up temporary connections for Symantec Network Access Control On-Demand Clients


Enforcer (on-demand)# client-group "My Company/name of Enforcer

client group"

where:

name of Enforcer client group represents the name of the Enforcer clientgroup that you already set up in the Clients page under View Clients on theconsole of a Symantec Endpoint Protection Manager. You should have alreadyset up this Enforcer client group as a subgroup to the My Company groupwith full access rights. If you have not set the Enforcer client group on theconsole of a Symantec Endpoint Protection Manager, the Enforcer will registerto the Default group. The information about the Enforcer client group isautomatically sent during the next heartbeat.

You can now set up authentication for the Symantec Network Access ControlOn-Demand clients.

See “Setting up authentication on the Gateway or DHCP Enforcer console forSymantec Network Access Control On-Demand clients” on page 199.


Enforcer (on-demand)#enable

DisablingSymantecNetworkAccessControlOn-Demandclientsfor client computersIf you want to disable the Symantec Network Access Control On-Demand clientsfrom automatically being downloaded, you can disable this process.

To disable Symantec Network Access Control On-Demand clients for clientcomputers

1 Log on to the Gateway or DHCP Enforcer appliance console as superuser.


2 On the console of a Gateway or DHCP Enforcer appliance, type on-demand.

3 Type disable.

4 Type exit.

5 Type exit to log off.


198

Setting up authentication on the Gateway or DHCPEnforcer console for Symantec Network AccessControl On-Demand clients

You can authenticate end users by adding user names and password for each enduser in a local database that is on-board of the Gateway and DHCP Enforcerappliance.

See “Setting up authentication with a local on-board database” on page 199.

If you do not want to use the local database that is on-board of the Gateway andDHCP Enforcer appliance, you can configure the Enforcer appliances to use aMicrosoft Windows Server 2003 Active Directory to manage the authenticationof the end users.

See “Setting up authentication with a Microsoft Windows 2003 Server ActiveDirectory” on page 200.

Setting up authentication with a local on-board databaseYou can configure up to 1000 end users on the on-board database.

See “On-Demand authentication local-db commands” on page 275.

To set up authentication with a local database



2 On a Gateway or DHCP Enforcer appliance console, type the followingcommand:

Enforcer #on-demand


Enforcer (on-demand)# authentication


Enforcer (authentication)# enable

199Setting up temporary connections for Symantec Network Access Control On-Demand clientsSetting upauthentication on theGatewayorDHCPEnforcer console for SymantecNetworkAccessControl On-Demand

clients


Enforcer (authentication)# local-db enable


Enforcer (authentication)# ad domain string

where:

string represents the domain name of the Microsoft Windows Server 2003Active Directory. For example, symantec.com.

Setting up authentication with a Microsoft Windows 2003 Server ActiveDirectory

The Gateway and DHCP Enforcer appliances establish a connection to the MicrosoftWindows 2003 Server through the domain name instead of the IP address.Therefore you must have set up a Domain Name Server (DNS) in the network thatcan resolve the domain name.

See “On-demand authentication ad commands” on page 272.

To set up authentication with an active directory server




Enforcer #on-demand




Enforcer (authentication)# enable


Enforcer (authentication)# ad enable


Enforcer (authentication)# ad domainid

where:

domainid represents the domain name of the Microsoft Windows Server 2003Active Directory. For example, www.symantec.com.

Setting up temporary connections for Symantec Network Access Control On-Demand clientsSetting up authentication on theGatewayorDHCPEnforcer console for SymantecNetworkAccessControl On-Demandclients

200

Setting up the On-Demand Client on Windows for authentication withthe dot1x protocol

To set up the On-Demand Client on Windows for authentication with the dot1xprotocol

1 On the Enforcer console, type: Enforcer#on-demand

2 Type the following command: Enforcer (on-demand)# dot1x

3 Type the following command: Enforcer (dot1x)# protocol tls

4 Type the following command: Enforcer (tls)# show protocol

The protocol must be set to tls. For example, Active Protocol: TLS

5 Type the following command: Enforcer (tls)# validate-svr enable

6 Type the following command: Enforcer (cert-svr)# exit

7 Type the following command: Enforcer (tls)# show tls

Make sure that the tls server certificate is enabled. For example:

TLS Validate Server Certificate: ENABLED

TLS Certificate Server: ENABLED

TLS Certificate Server: 127.0.0.1

8 Type the following command: Enforcer (dot1x)# certificate import

tftp 10.34.68.69 password symantec username janedoe user-cert

qa.pfx root-cert qa.ce

where:

10.34.68.69 is tftp server from which the Enforcer appliance can import thecertificate by tftp.

symantec is the password of the user certificate

janedoe is the user name with which you log on the client.

qa.pfx is the name of the user certificate.

qa.cer is the name of the root certificate

Setting up the On-Demand Client on Windows for authentication withthe peap protocol

To set up the On-Demand Client on Windows for authentication with the peapprotocol

201Setting up temporary connections for Symantec Network Access Control On-Demand clientsSetting upauthentication on theGatewayorDHCPEnforcer console for SymantecNetworkAccessControl On-Demand

clients

1 On the Enforcer console, type: Enforcer#on-demand

2 Type the following command: Enforcer (on-demand)# dot1x

3 Type the following command: Enforcer (dot1x)# protocol peap

4 Type the following command: Enforcer (peap)# show protocol

Make sure that the peap server certificate is enabled; for example:

PEAP Validate Server Certificate: ENABLED

PEAP Certificate Server: DISABLED

PEAP Certificate Server: 127.0.0.1

PEAP Fast Reconnected: DISABLED

5 Type the following command: Enforcer (peap) cert-svr host snac

where:

snac is the computer that is the CA server for the peap certificate name.

Editing the banner on the Welcome pageYou can edit the default banner text on the Welcome page of the Symantec NetworkAccess Control On-demand client.

To edit the banner on the Welcome page



2 Type the following command on the console of a Gateway or DHCP Enforcerappliance:

Enforcer# on-demand


Enforcer(on-demand)# banner

Press Enter.

4 In the pop-up window, type the message that you want end users to view onthe Welcome page of the Symantec Network Access Control On-demand client.

You can type up to 1024 characters.

Setting up temporary connections for Symantec Network Access Control On-Demand clientsEditing the banner on the Welcome page

202

Troubleshooting the connectionbetween theEnforcerand the On-Demand clients

There are several areas and known issues that you may check to troubleshootyour connection between the Enforcer and On-Demand clients.

Table 9-1

SolutionSymptom

Several possible solutions:

■ Change firewall settings to unblock UDP port 39999.

■ Add add a static route to the Enforcer's route table. Forexample:

route add IP netmask NM device eth0

where IP and NM are the IP address and netmask of theclient's IP address pool. This pool is configured on theVPN by the administrator.

Firewall is blocking the clientfrom working when the userdownloads the agent throughPPTP VPN, CheckPoint VPN,or Juniper VPN

The client sometimes sends traffic to Verisign, making thedownload speed somewhat long. A workaround is let theadmin add the Verisign to the trusted IP list.

Download times aresometimes long

This is an issue with DNS resolution, and should not appearafter the first Host Integrity check.

Host Integrity check issometimes long the first time

Users should change firewall settings to unblock UDP port39999. Alternatively, set the firewall to allowcclientctl.exe

Firewall on the client isblocking the On-Demandclient from working when theuser does not have Adminrights

This is due to the size of the packages taken together. Theworkaround is to upgrade the Enforcer and import the ClientManual Install Package on Symantec Endpoint ProtectionManager first, then enable On-Demand functionality on theEnforcer. That will add the manual installation files.

Upgrading the Enforcer doesnot initially contain themanual installation package

This only happens when the On-Demand feature is enabledon the Enforcer. It is expected behavior.

The redirect URL on theEnforcer will overwrite aprevious redirect URL onSEPM

This is a timing issue. Change the DHCP timeout setting to12 seconds or more.

Vista clients sometimes donot receive an IP addressfrom the DHCP server

203Setting up temporary connections for Symantec Network Access Control On-Demand clientsTroubleshooting the connection between the Enforcer and the On-Demand clients

Table 9-1 (continued)

SolutionSymptom

The workaround is to ensure that JRE is installed. Otherwiseonly Admin users can install.

A normal user can not installthe agent if there is no JREinstalled.

The user should restart the wireless connection.Wireless service isdisconnected when theOn-Demand client isinstalled and quit, when802.1x authentication is used

Follow the "manual download" link, download and install,and it will work.

Systems running Norton 360v. 2.x have a problemreceiving the client

Installation of the NP plugin requires Admin rights.With Firefox, cannotdownload the client and NPPlugin with only user rights

This could need installation of Microsoft patch KB893803.This patch is included with the manual install, and shouldbe installed prior to the client installation. Admin privilegeis required.

Manual installationsometimes fails

The agent needs to install a driver to work. If the user needs802.1x authentication on Windows Vista, the user needs toopen the browser with "Run as Administrator" method orturn off UAC to make sure the agent works withAdministrator privileges.

802.1x authentication fails

You should delete the existing ActiveX by clicking Tools ->Manage Add-ons -> Enable or Disable Add-ons ->Downloaded ActiveX Controls, delete HodaAgt class.

"Old version of ActiveXdetected" message appears

The client may already be running. As a security feature,you cannot download a new client inside of a running clientsession.

Browser notifies the user ,"can not display webpage,"and the client cannotdownload successfully

This happens when Firefox is first run. The first one or twoFirefox restarts are required for it to finish its configuration.After that the On-Demand client should download.

Firefox browser sometimescannot download the client

Setting up temporary connections for Symantec Network Access Control On-Demand clientsTroubleshooting the connection between the Enforcer and the On-Demand clients

204

Table 9-1 (continued)

SolutionSymptom

This appears to be a problem with that version of the MacOS. Version 10.5 does not have the problem. Theworkaround for version 10.4 is to set the hostname in/etc/hostconfig/.

Computers running Mac OS10.4 sometimes do notauthenticate properly due toa changing hostname

This is because of the transitory nature of %temp%. Theworkaround is to point to different locations.

Custom Host Integrity checksthat rely upon the systemvariable %temp% do notwork

This is because of the transient nature of user sessions.Custom Host Integrity rulesthat point to registry valuesdo not work properly

Panda deletes a crucial SNAC file. It is automaticallyreinstalled, and you may safely take no action.

Installation of PandaTitanium 2007 or PandaInternet Security 2007 or2008 software causes amessage to appear, "Pleasewait while Windowsconfigures SymantecNetwork Access Control."

205Setting up temporary connections for Symantec Network Access Control On-Demand clientsTroubleshooting the connection between the Enforcer and the On-Demand clients

Setting up temporary connections for Symantec Network Access Control On-Demand clientsTroubleshooting the connection between the Enforcer and the On-Demand clients

206

Enforcer appliancecommand-line interface


■ About the Enforcer appliance CLI command hierarchy

■ CLI command hierarchy

■ Moving up and down the command hierarchy

■ Enforcer appliance CLI keystroke shortcuts

■ Getting help with CLI commands

About the Enforcer applianceCLI commandhierarchyThe Enforcer appliance has a command-line interface (CLI) that is organized intoa command hierarchy. The main (top-level commands) include the followingcommand groups that access additional commands:

■ capture

■ configure

■ console

■ debug

■ mab

■ monitor

■ on-demand

■ snmp

10Chapter

CLI command hierarchyTable 10-1 describes the hierarchy for the Enforcer commands.

Table 10-1 Enforcer appliance CLI command hierarchy

Second sub-levelcommands

First sub-level commandsTop-levelcommands

not availableThe clear, exit, help, and show commands are onlyavailable to the admin logon and root (superuser.)

You can use the following sub-level commands:

■ clear

■ compress

■ exit

■ filter

■ help

■ show

■ start

■ upload

■ verbose

capture

not availablenot availableclear

Only the advancedcommand has a setof sub-levelcommands

The clear, exit, help, and show commands are onlyavailable to the admin logon and root (superuser).

You can use the following sub-level commands:

■ advanced

■ clear

■ dns

■ exit

■ help

■ interface

■ interface-role

■ ntp

■ redirect

■ route

■ show

■ spm

configure

not availablebaud-rate, clear, exit, help,show, ssh, and sshkey

The clear, exit, help, and show commands areavailable to the admin logon and root (superuser).

console

Enforcer appliance command-line interfaceCLI command hierarchy

208

Table 10-1 Enforcer appliance CLI command hierarchy (continued)



not available■ date

■ time

■ timezone

date

not availableclear, exit, destination, help, level, show, andupload

The clear, exit, help, and show commands areavailable to the admin logon and root (superuser).

debug

not availablenot availableexit

not availablenot availablehelp

not availablenot availablehostname

not availableThe clear, exit, help, and show commands are onlyavailable to the admin logon and root (superuser).

■ clear

■ database

■ disable

■ enable

■ exit

■ help

■ ldap

■ show

mab

all or IP ip address■ clear

■ exit

■ help

■ refresh

■ show

monitor

209Enforcer appliance command-line interfaceCLI command hierarchy




See each commandfor informationabout secondsub-levelcommands.

The clear, exit, help, and show commands are onlyavailable to the admin logon and root (superuser).

■ authentication

■ banner

■ clear

■ client-group

■ disable

■ dot1x

■ enable

■ exit

■ help

■ mac-compliance

■ show

■ spm-domain

on-demand

not availablenot availablepassword

not availablenot availableping

not availablenot availablereboot

not availablenot availableshow

not availablenot availableshutdown

■ disable

■ enable

■ heartbeat

■ receiver

■ show

■ trap

■ exit

■ clear

■ help

snmp

not availablenot availablestart

not availablenot availablestop

not availablenot availabletraceroute

Enforcer appliance command-line interfaceCLI command hierarchy

210




not availablenot availableupdate

Moving up and down the command hierarchyIf you want to access a command that is lower in the hierarchy, you type both thetop-level command and lower-level command. If you have several commands thatyou want to execute in a command group, you can type only the top-level command.You must then press Enter to enter the command group. The same process appliesif you want to get a list of commands in a group. You can then type any commandavailable from that group.

For example, the capture group contains a show command that shows the captureconfiguration settings. If you want to access the show command from the toplevel, type the following capture command:

Enforcer# capture show

If you type only the command that gives access to a command group and pressEnter, the next prompt shows the command group in parentheses.

For example:

Enforcer# capture

Enforcer(capture)#

If you want to move up the hierarchy and access commands outside the group,you must first exit the command group.

Enforcer(capture)# exit

Enforcer#

Enforcer appliance CLI keystroke shortcutsWhen you use the CLI, you can use keystrokes as shortcuts instead of typingcommands or to get help in filling in commands.

Table 10-2 lists the CLI keyboard shortcuts and help.

211Enforcer appliance command-line interfaceMoving up and down the command hierarchy

Table 10-2 CLI keyboard shortcuts and help

ActionKeys or key combinations

■ Lists all available commands or options.

or

■ Completes the command or option name or lists all possible commands oroptions that start with the letters that you typed.

For more information:

See “Getting help with CLI commands” on page 213.

Tab key or ?

Exits from a command group.CTRL+D

Deletes all characters on the command line.CTRL+C

Lists the commands in the history buffer.

Commands that you type are stored in a 16k history ring buffer. The commandsare indexed starting with 1. When the buffer overflows, the oldest command isreplaced, and the index number changes, so that the oldest command always hasindex 1.

The ! command lists all commands in the history buffer. If you type a numberfollowing the !, the Enforcer console restores the command that has that number.The command is not executed until you press Enter.

The following is an example:

Enforcer# !1. con2. configure3. ping 192.168.0.14. traceroute 192.168.0.16Enforcer# !3Enforcer# ping 192.168.0.1

!

Restores the commands in the history buffer by moving up and down by index.Up-arrow key

Down-arrow key

Moves the cursor a character to the left and right.Left-arrow key

Right-arrow key

Moves the cursor to the beginning or end of the command line.Home and End keys

Deletes a character on the command line that is to the left of the cursor.key Backspace

Deletes a character on which the cursor resides.key Delete

Enforcer appliance command-line interfaceEnforcer appliance CLI keystroke shortcuts

212

Getting help with CLI commandsWhen you use the CLI, there are several ways to get help on commands andcommand options.

Table 10-3 shows the ways in which you can get help with CLI commands.

Table 10-3 Getting help with CLI commands

ActionWhat would you like to do?

At the command prompt, press Tab or ?

All commands available at the current hierarchy level are listed.

Example:

After you type the configure command and press Enter to access the configurecommand group, press Tab or ? to display all available configure commands.

List all available commands witha short description

At the command prompt, type Help followed by the command name. (Thecommand must be available from the current hierarchy level.)

Display a short description of aspecific command

Type one or more letters that begin the command name and press Tab or ?

For example:

When you type co and then press Tab or ? at the main command prompt, theEnforcer console lists all available commands that begin with co. As shown inthe following example, two commands begin with con. Therefore the Enforcerconsole fills in the letter n.

Example:

Enforcer# co?

configure Configure Enforcer setting

console Console setting

Enforcer# con

Complete the command name orlist all possible commands thatstart with the letters typed.

213Enforcer appliance command-line interfaceGetting help with CLI commands

Table 10-3 Getting help with CLI commands (continued)

ActionWhat would you like to do?

Type the command and press Tab or ?

For example:

If you are in the configure command group and want to display the options forthe interface command, type interface and press Tab or ?

Example:

Enforcer(configure)# interface?

Each interface option is listed with a brief description.

Display all the options for aspecific command, with a shortdescription of each option.

After you type the option name, type one or more letters that begin the optionname and press Tab or ?

For example:

If you type the capture show command that is followed with the letter f, theEnforcer console lists the two options that begin with the letter f. Because theyboth begin with the letters fil, the console fills in the il.

For example:

Enforcer# capture show f?

files Display packet capture files

filter Display current packet capturefilter

Enforcer# capture show fil

Complete the option name or listall available options that startwith the letters typed.

Enforcer appliance command-line interfaceGetting help with CLI commands

214

Enforcer appliancecommand-line interfacereference


■ Command conventions

■ Enforcer appliance CLI in alphabetical reference

■ Top-level commands

■ Capture commands

■ Configure commands

■ Console commands

■ Debug Commands

■ MAB commands

■ Monitor commands

■ SNMP commands

■ On-Demand commands

Command conventionsThe following conventions describe the syntax and usage of the Enforcer appliancecommand-line interface (CLI) commands:

11Chapter

Table 11-1 Conventions for the commands

UsageSyntax

Variables appear in italics.

For example, n represents a variable:

n

If a command has multiple arguments, the multiple arguments areenclosed in braces {}.

The following is an example of multiple arguments where n representsa variable:

{width n | height n}

braces {}

Optional arguments are enclosed in brackets []. The following is anexample of an optional argument:

[metric]

brackets [ ]

If a command has multiple arguments that exclude each other, a pipesymbol | separates the arguments.

The following is an example of multiple arguments that exclude eachother:

{width n | height n}

pipe symbol |

Enforcer appliance CLI in alphabetical referenceThe Enforcer appliance commands are organized in a hierarchy with somecommands at the top level and others under the following commands: capture,configure, console, debug, mab, monitor, and on-demand.

The commands clear, exit, help, and show are available from all levels of thehierarchy. However, they are only listed in the table at the top level. The commandsare available when you log on as an administrator. All other commands areavailable only by logging in as root.

To display a description of all commands available at the current hierarchy level,you can type a question mark (?) or press Tab.

Table 11-2 gives a brief description of the commands.

Table 11-2 Summary of CLI commands

DescriptionCommand

Accesses the packet capture commands.

See “Capture commands” on page 239.

capture

Enforcer appliance command-line interface referenceEnforcer appliance CLI in alphabetical reference

216

Table 11-2 Summary of CLI commands (continued)

DescriptionCommand

Configures the filtSymantec Endpoint Protection Managerer to be applied to packet capture.

See “Capture Filter” on page 239.

capture filter

Displays the capture configuration and lists the files that are captured.

See “Capture Show” on page 240.

capture show

Starts packet capture.

See “Capture Start ” on page 241.

capture start

Uses tftp protocol to send a file or files.

See “Capture Upload ” on page 242.

capture upload

Turns on or off the display of packet capture details.

See “Capture Verbose ” on page 242.

capture verbose

Clear the screen.

See “Clear” on page 233.

clear

Provides access to the Enforcer configure commands.

See “Configure commands” on page 243.

configure

Accesses the advanced configuration commands.

See the configure advanced commands that are listed in this table.

See “Configure advanced commands” on page 243.

configure advanced

Enables or disables trunking support (Gateway Enforcer only).


configure advancedtrunking

Enables or disables Cisco catos support. (LAN Enforcer appliances only)

See “Advanced CATOS” on page 243.

configure advancedcatos

Enables or disables UID checking for legacy agents. (Gateway and DHCP Enforcer only)

See “Advanced check-uid” on page 243.

configure advancedcheck-uid

Configures a DNS spoofing IP address and enables or disables it on the DHCP Enforcer.Disabling deletes the DNS spoofing IP address and disables it in the DHCP Enforcer. (DHCPEnforcer appliances only)

See “Advanced DNS spoofing” on page 244.

configure advanceddns-spoofing

217Enforcer appliance command-line interface referenceEnforcer appliance CLI in alphabetical reference


DescriptionCommand

Configures Enforcer appliance failover settings.

See “Advanced failover” on page 244.

configure advancedfailover

Allows or blocks legacy agents.

See “Advanced legacy” on page 245.

configure advancedlegacy

Specifies legacy UID. (Gateway and DHCP Enforcer appliances only)

See “Advanced legacy-uid” on page 246.

configure advancedlegacy-uid

Enables or disables Enforcer authentication of clients .

See “Advanced Radius” on page 246.

configure advancedlocal-auth

Switches to different Enforcer type.

This option is not available if you are logged in to SSH session.

See “Advanced Re-initialize” on page 247.

configure advancedre-initialize

Enables or disables Radius accounting proxy support. (LAN Enforcer appliance only)

See “Advanced Radius” on page 246.

configure advancedradius

Set SNAC scanner IP, port, and pre-share key (Gateway and DHCP Enforcers applianceonly). Use this command to re-enable the SNAC scanner if it has been disabled.

See “Advanced Symantec Network Access Control Server Scanner” on page 247.

configure advancedsnacs

Enables or disables user class. (DHCP Enforcer appliance only)

See “Advanced User-class” on page 248.

configure advanceduser-class

Adds or deletes a DNS entry.

See “Configure DNS” on page 249.

configure dns

Configures network interface IP address and net mask.

See “Configure Interface” on page 250.

configure interface

Specifies internal and external network interfaces. (Gateway and DHCP Enforcer only)


configure interface-role

Establishes communication between an Enforcer appliance and a Network Time Serverwith an IP address, domain name, or web address. It also enables or disablessynchronization of time between the Network Time Server and the Enforcer appliance.

See “Configure NTP” on page 251.

configure ntp


218


DescriptionCommand

Specifies HTTP redirect URL when a client is not installed on a computer.

See “Configure Redirect” on page 252.

configure redirect

Configures route settings.

See “Configure Route” on page 252.

configure route

Displays the current configuration of each command in the configure group. If no argumentis specified, all settings appear.

See “Configure Show” on page 253.

configure show

Configures the connection. If you only modify one of the arguments, you need to modifyall of them or the default settings are automatically used for those arguments that youdid not modify.

See “Configure SPM” on page 253.

configure spm

Provides access to the console configuration commands.

See “Console commands” on page 254.

console

Sets the baud rate.

See “Console Baud-rate” on page 254.

console baud-rate

Enable or disable SSH remote logon.

See “Console SSH” on page 255.

console ssh

Sets and deletes the public key for ssh remote logon without a password.

See “Console SSHKEY” on page 255.

console sshkey

Displays the configuration settings for the console of an Enforcer appliance.

See “Console Show” on page 255.

console show

Sets the date, time, and time zone.

See “Date” on page 233.

date

Access the Enforcer appliance debug commands.

See “Debug Commands” on page 255.

debug

Sets debug destination (memory, disk, both).

See “Debug Destination” on page 256.

debug destination



DescriptionCommand

Sets the debug information level.

See “Debug Level” on page 256.

debug level

Displays the configuration settings for debugging.

See “Debug Show” on page 257.

debug show

Uses the trusted file transfer protocol (tftp) to send a file or files to another computer.

See “Debug Upload” on page 257.

debug upload

Logs you off from the console of an Enforcer appliance when the command is used as atop-level command; otherwise the command exits a command group.

See “Exit” on page 233.

exit

Displays Help for a command

See “Help” on page 234.

help

Specifies the host name of an Enforcer appliance

See “Hostname” on page 235.

hostname

Provides access to commands on a LAN Enforcer appliance that enables you to implementMAC Authentication Bypass (MAB) on designated 802.1x-aware switches.

You must be logged on to the console of a LAN Enforcer appliance as a superuser beforeyou can execute this command.

See “MAB commands” on page 258.

mab

Provides access to all commands that add and manage local MAB database entries on aLAN enforcer appliance.


mab database

Specifies the entries of MAC addresses, MAC address ranges, and MAC address masks ofall clients that use MAB. (LAN Enforcer appliance only)


mab database add

Removes all MAC addresses from the local MAB database on a LAN Enforcer appliance.


mab database clean


220


DescriptionCommand

Enables you to download all MAB entries from a TFTP server to the local MAB databaseon a LAN Enforcer appliance.


mab database download

The MAB database upload command enables you to copy all MAB entries from a LANEnforcer appliance to a location, such as a TFTP server.


mab database upload

Disables a LAN Enforcer appliance to implement MAC Authentication Bypass (MAB) ondesignated 802.1x-aware switches.


See “MAB disable command” on page 260.

mab disable

Enables a LAN Enforcer appliance to implement MAC Authentication Bypass (MAB) ondesignated 802.1x-aware switches.


See “MAB enable command” on page 261.

mab enable

Establishes communication between a LAN Enforcer appliance and a LDAP server.


See “MAB LDAP commands” on page 261.

mab ldap

Disables MAC Authentication Bypass (MAB) on a LDAP server instead of a LAN Enforcerappliance.


See “MAB LDAP disable command” on page 261.

mab ldap disable

Enables MAC Authentication Bypass (MAB) on a LDAP server instead of a LAN Enforcerappliance.


See “MAB enable command” on page 261.

mab ldap enable



DescriptionCommand

Displays configuration information about the LDAP server with which the LAN Enforcerappliance communicates.

See “MAB show command” on page 264.

mab show

Provides access to the Enforcer monitor commands.

You must be logged on to the console of a Gateway or a DHCP Enforcer appliance as asuperuser before you can execute this command.

See “Monitor commands” on page 264.

monitor

Updates information about a client's IP address, host name, policy ID, and MAC address.


See “Monitor refresh command” on page 265.

monitor refresh

Display information about blocked-hosts, connected-guests, and connected-users.

See “Monitor show command” on page 265.

monitor show

■ Displays information about a blocked hosts's host name and policy ID.


■ Displays information about a blocked hosts's host name, policy ID, and MAC address.


See “Monitor show blocked-hosts command” on page 265.

monitor showblocked-hosts

■ Displays information about a connected guest or On-Demand client's IP address, hostname, and policy ID.


■ Displays information about a connected guest or On-Demand client's IP address, hostname, policy ID, and MAC address.


See “Monitor show connected-guests commands” on page 266.

monitor showconnected-guests


222


DescriptionCommand

■ Displays information about a connected user or a managed client's IP address, hostname, username, and policy ID. A connected user or a managed client supports SymantecEndpoint Protection client software and Symantec Network Access Control clientsoftware.


■ Displays information about a connected user or a managed client's IP address, hostname, policy ID, and MAC address. A connected user or a managed client supportsSymantec Endpoint Protection client software and Symantec Network Access Controlclient software.


See “Monitor show connected-users command” on page 268.

monitor showconnected-users

Allows you to remove an existing user account from the local database.

Control On-Demand client on a client computer. You must be logged on to the console ofa Gateway or a DHCP Enforcer appliance as a superuser before you can execute thiscommand.

on-demandauthentication local-dbdelete

Allows you to clean up all user accounts from the local database.

Note: Please keep at least one user account if you use local-db authentication.

Control On-Demand client on a client computer.You must be logged on to the console ofa Gateway or a DHCP Enforcer appliance as a superuser before you can execute thiscommand.

on-demandauthentication local-dbclear

Disables the automatic downloading of Symantec Network Access Control On-Demand orguest clients on the Gateway or DHCP Enforcer console.



See “Disabling Symantec Network Access Control On-Demand clients for client computers”on page 198.

on-demand disable



DescriptionCommand

Enables the automatic downloading of Symantec Network Access Control On-Demand orguest clients on the Gateway or DHCP Enforcer console. Otherwise the installation fails.



See “Enabling Symantec Network Access Control On-Demand clients to temporarily connectto a network ” on page 197.


on-demand enable

Enables you to stop the authentication process—the auth-daemon—on the console of aGateway or DHCP appliance for a Symantec Network Access Control On-Demand client.



See

You can stop the authentication process—the auth-daemon—on the console of a Gatewayor DHCP appliance for a Symantec Network Access Control On-Demand client.

The on-demand authentication disable command uses the following syntax:

on-demand authentication disable

You must be logged on a Gateway or DHCP Enforcer appliance console as a superuserbefore you can execute this command.


The following example describes how to disable authentication for a Symantec NetworkAccess Control On-Demand client on the console of a Gateway or DHCP Enforcer appliance:

Enforcer# on-demand

Enforcer (on-demand)# authentication disable

on page 274.

on-demandauthentication disable

Enables you to start the authentication process—the auth-daemon—on a Gateway or DHCPappliance console for the Symantec Network Access Control On-Demand client.



See “On-demand authentication enable command” on page 274.

on-demandauthentication enable


224


DescriptionCommand

Disables authentication of the Symantec Network Access Control On-Demand Clientcomputer.



See “On-demand authentication ad disable command” on page 272.

on-demandauthentication addisable

Configures the communication between an Enforcer appliance and an active directory forthe authentication of an On-Demand Client computer.



See “On-demand authentication ad domain command” on page 273.

on-demandauthentication addomain

Enables authentication of the On-Demand Client computer.



See “On-demand authentication ad enable command” on page 273.

on-demandauthentication adenable

Provides access to the on-demand authentication local-db commands.




on-demandauthentication local-db

Enables you to set up the login name and password on a Gateway or DHCP applianceconsole for an end user who wants to automatically download a Symantec Network AccessControl On-Demand client on a client computer.



on-demandauthentication local-dbadd



DescriptionCommand

Allows you to disable an authentication configuration for an On-Demand Client computeragainst a local database.



on-demandauthentication local-dbdisable

Allows you to enable an authentication configuration for an On-Demand Client computeragainst a local database.



on-demandauthentication local-dbenable

Allows you to display authentication settings for an On-Demand Client computer.



on-demandauthentication show

Enables you to edit the default banner on the Welcome page of the Symantec NetworkAccess Control On-Demand clients.



See “Editing the banner on the Welcome page” on page 202.

See “On-Demand banner command” on page 277.

on-demand banner

Allows you to configure the domain ID on the console of a Gateway or DHCP Enforcerappliance. Otherwise the On-Demand Client installation fails.


After connection with the , the domain ID appears on the Enforcer appliance.

See the Administration Guide for Symantec Endpoint Protection and Symantec NetworkAccess Control on how to locate the domain ID.



See “On-Demand spm-domain command” on page 288.

on-demandspm-domain


226


DescriptionCommand

Allows you to enable your configuration of port-based 802.1x network access controlauthentication for On-Demand Client sessions.



on-demand dot1x

Allows you to configure anonymous port-based 802.1x network access controlauthentication for On-Demand Client sessions.



on-demand dot1xdefault-user

Allows you to configure an 802.1x authentication root and user certificate.



See “On-Demand dot1x certificate commands” on page 278.

on-demand dot1xcertificate

Allows you to import an 802.1x authentication certificate.



See “On-Demand dot1x certificate import” on page 279.

on-demand dot1xcertificate import

Allows you to delete an 802.1x authentication certificate.



See “On-Demand dot1x certificate remove command” on page 280.

on-demand dot1xcertificate remove

Allows you to configure an 802.1x Protected Extensible Authentication Protocol (PEAP)to authenticate an On-Demand Client into the protected network.



See “On-Demand dot1x peap command” on page 281.

on-demand dot1x peap



DescriptionCommand

Allows you to enable the validation of an 802.1x Protected Extensible AuthenticationProtocol (PEAP) server certificate for On-Demand Client access to the protected network.



See “On-Demand dot1x peap cert-svr command” on page 282.

on-demand dot1x peapvalidate-svr enable

Allows you to disable validation of an 802.1x Protected Extensible Authentication Protocol(PEAP) server certificate for On-Demand Client access to the protected network.




on-demand dot1x peapvalidate-svr disable

Allows you to configure an 802.1x Protected Extensible Authentication Protocol (PEAP)root server certificate as well as a user certificate for On-Demand Client access to theprotected network.



on-demand dot1x peapcert-svr

Allows you to enable 802.1x Protected Extensible Authentication Protocol (PEAP) fastreconnection to the root server certificate for On-Demand Client access to the protectednetwork.



on-demand dot1x peapfast-reconn enable

Allows you to disable 802.1x Protected Extensible Authentication Protocol (PEAP) fastreconnection to the root server certificate for On-Demand Client access to the protectednetwork.



on-demand dot1x peapfast-reconn disable


228


DescriptionCommand

Allows you to display the configuration settings for an 802.1x Protected ExtensibleAuthentication Protocol (PEAP) authentication for an On-Demand Client to confirm thatthe active protocol is PEAP.



on-demand dot1x peapshow

Allows you to exit the command line interface configuration hierarchy for 802.1x ProtectedExtensible Authentication Protocol (PEAP) .



on-demand dot1x peapexit

Allows you to configure an 802.1x Protected Extensible Authentication Protocol (PEAP)for On-Demand Client access to the protected network as either PEAP or TLS.



on-demand dot1xprotocol

Allows you to display at the command line interface the 802.1x Protected ExtensibleAuthentication Protocol (PEAP) configuration for an On-Demand Client and confirm thatthe configured protocol is either PEAP or TLS.



on-demand dot1x show

Allows you to enter configuration mode for 802.1x transport layer security (TLS) protocol.

You must be logged on a Gateway or a DHCP Enforcer console as a superuser before youcan execute this command.


on-demand dot1x tls

Allows you to enable the validation of a root server certificate for an 802.1x transportlayer security (TLS) protocol configuration.




on-demand dot1x tlsvalidate-svr enable



DescriptionCommand

Allows you to disable the validation of a root server certificate for an 802.1x transportlayer security (TLS) protocol configuration.



on-demand dot1x tlsvalidate-svr disable

Allows you to configure a root server certificate for an 802.1x transport layer security(TLS) protocol for On-Demand Client authentication.



on-demand dot1x tlscert-svr enable

Disable TLS certificate server.on-demand dot1x tlscert-svr disable

Set TLS certificate server's hostname.on-demand dot1x tlscert-svr host

Allows you to view configuration settings for an 802.1x transport layer security (TLS)protocol for On-Demand Client authentication.

You must be logged on the Gateway or DHCP Enforcer console as a superuser before youcan execute this command.


on-demand dot1x tlsshow

Allows you to exit the command line interface mode for 802.1x TLS configuration.



on-demand dot1x tlsexit


230


DescriptionCommand

Enables you to configure the preferGroup on the Gateway or DHCP Enforcer console andon the Console. Otherwise the installation fails. Although it is optional to set up a separategroup for the Symantec Network Access Control On-Demand clients, it is recommend thatyou do so. If you do not set up a separate group, all Symantec Network Access ControlOn-Demand clients automatically become a member of the Default group on the SymantecEndpoint Protection Manager Console.




See “On-Demand client-group command” on page 277.

See the Administration Guide for Symantec Endpoint Protection and Symantec NetworkAccess Control on how to set up a group for the Symantec Network Access ControlOn-Demand clients or guest clients.

on-demand client-group

Enables you to configure the Symantec Network Access Control On-Demand client on aMacintosh platform from having an end user install unauthorized programs and files.

See “On-Demand mac-compliance commands” on page 289.


on-demandmac-compliance

Allows you to configure the host integrity options for an On-Demand Client Macintoshplatform.




on-demandmac-compliance enable

Allows you to disable the host integrity configuration for an On-Demand Client Macintoshplatform.




on-demandmac-compliance disable



DescriptionCommand

Allows you to configure the list of host integrity software options for an On-Demand ClientMacintosh platform.




on-demandmac-compliance show

Allows you to set compliance checking interval (in minutes) for Symantec Network AccessControl On-demand Client.

on-demandmac-complianceinterval

Changes the password to log on to the Enforcer appliance.

See “Password” on page 235.

password

Sends an ICMP echo to a remote host.

See “Ping” on page 235.

ping

Restart the Enforcer appliance.

See “Reboot” on page 236.

reboot

Shows Enforcer appliance configuration and status information.

See “Show” on page 236.

show

Turns off an Enforcer appliance.

See “Shutdown” on page 236.

shutdown

Support Simple Network Management Protocol.snmp

Disable SNMP.snmp disable

Enable SNMP.snmp enable

Set the heartbeat for SNMP.snmp heartbeat

SNMP receiver settings.snmp receiver

Show the configuration and status of SNMP.snmp show

SNMP try times and timeout value setting.snmp trap

Starts an Enforcer &; service.

See “Start” on page 238.

start


232


DescriptionCommand

Stops an Enforcer service.

See “Stop” on page 238.

stop

Prints the route that packets take to the network host.

See “Traceroute” on page 238.

traceroute

Updates the Enforcer appliance software.


update

Top-level commandsTop-level commands are available at the Enforcer CLI. They are generaladministration commands. Some of the commands, such as clear, exit, help, andshow, are available from all levels of the hierarchy.

ClearThe clear command clears the contents of the screen.

The following is an example of the syntax:

Enforcer# clear

DateThe date command sets the system time or time zone for the appliance.


date {day <MM/DD/YY> | time <HH:MM:SS> |timezone}

ExitThe exit command exits the console, when used as a main command, or exits acommand group when used from within a command group. You can also use Ctrl+Dinstead of the exit command.


Enforcer# exit

233Enforcer appliance command-line interface referenceTop-level commands

HelpThe help command displays help information for a specified command. If youwant to display help for all available commands, type a question mark (?) or pressTab.

Note: A few commands are specific only to the Gateway Enforcer or only to theDHCP Enforcer. These commands do not appear on the other Enforcers.

The following is an example of the syntax for the Main Command Group:

help {capture | clear | configure | console | date |

debug | exit | hostname| mab | monitor| on-demand |

password | ping | reboot | show | shutdown | start |

stop | traceroute | update | snmp}

When you use the Help command within a command group, it displays helpinformation for an individual command in the group. To display help for allcommands in the group, you can type a question mark (?) or press Tab.

The following is an example of the syntax for the Capture Command Group:

help {clear | compress | exit | filter | show | start |

verbose | ymodem | upload}

The following is an example of the syntax for the Configure Command Group:

help {advanced | clear | dns | exit | interface |

interface-role | route | show | spm | redirect | ntp}

The following is an example of the syntax for the Configure Advanced CommandGroup:

help {catos | check-uid | clear | dnsspoofing | exit |

failover

| legacy | legacy-uid | local-auth | snacs | user-class | show |

trunking}

The following is an example of the syntax for the Console Command Group:

help {baud-rate | clear | dimensions | exit

| re-initialize | show | ssh | sshkey}

The following is an example of the syntax for the Debug Command Group:

Enforcer appliance command-line interface referenceTop-level commands

234

help {clear | compress | destination | exit | level |

show

|ymodem | upload}

The following is an example of the syntax for the Monitor Command Group:

help {refresh | show connected-guests

| show blocked-hosts | show connected-users }

HostnameThe hostname command changes the host name of the Enforcer appliance. Thedefault host name is Enforcer. If you change the name of an Enforcer appliance,you can distinguish between multiple Enforcer appliances on the SymantecEndpoint Protection Manager and in the Enforcer logs.

The host name is automatically registered on the Symantec Endpoint ProtectionManager during the next heartbeat. If you change the host name of an Enforcerappliance, you may also need to change the entry on the DNS server.

The following is an example of syntax for the hostname command:

hostname hostname

PasswordThe password command changes the account password. You must confirm theexisting password before specifying and confirming the new password. The newpassword must contain one lowercase letter, one uppercase letter, one digit, andone symbol.

The following is an example of syntax for the password:

password

PingThe ping command verifies the connections to a remote host that have beenspecified with an IP address or host name. The command uses an ICMP echorequest and echo reply packets to determine whether a particular IP system on anetwork is functional. You can use the ping command for diagnosing IP networkor router failures. The ping command enables you to check whether or not anEnforcer appliance can communicate with the Symantec Endpoint ProtectionManager.

The following is an example of the syntax for the ping command:


ping ip-address | hostname

Example

ping 192.168.0.1

PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.

64 bytes from 192.168.0.1: icmp_seq=0 ttl=64 time=0.585 ms




--- 192.168.0.1 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 57ms

rtt min/avg/max/mdev = 0.128/0.248/0.585/0.194 ms, pipe 2,

ipg/ewma 19.043/0.436 ms

RebootThe reboot command restarts the Enforcer appliance.

The following is an example of the syntax for the reboot command:

reboot

ShutdownThe shutdown command shuts down the Enforcer appliance.

The following is an example of the syntax for the shutdown command:

shutdown

ShowThe show command shows the information about the Enforcer applianceconfiguration or status.

The following is an example of syntax for the show command:


236

show { capture | configure | console | date | debug |

hostname| status | update | version }

where:

Display the packet capture settings such as protocol, filters, andcompression

capture

Shows the Enforcer network and the Symantec Endpoint ProtectionManager configuration

configure

Shows the console configurationconsole

Shows the Enforcer service detail statusstatus

Shows the update available for installation from tftp, CD-ROM, or USBdrive

update

Shows the Enforcer version and copyright informationversion

Display local time and UTC timedate

Display the Enforcer debug configurationdebug

Display the appliance hostnamehostname

The following example lists the output of the show status command:

show status

Enforcer Status: ONLINE(ACTIVE)

Policy Manager Connected: NO

Policy Manager: 192.168.0.64 HTTP 80

Packets Received: 26

Packets Transmitted: 1

Packets Rx. Failed: 0

Packets Tx. Failed: 0

Enforcer Health: EXCELLENT

Enforcer Uptime: 0 days 00:00:28

Policy ID:

The following example lists the output of the show version command on a DHCPEnforcer appliance:

show version

Symantec Network Access Control Enforcer 6100 Series - v11.0.1

build XXXX, 2007-11-29,19:09

DHCP Enforcer mode


StartThe start command starts the Enforcer service.

The following is an example of the syntax for the start command:

Enforcer# start

StopThe stop command stops the Enforcer service.

The following is an example of the syntax for the stop command:

Enforcer# Stop

TracerouteThe traceroute command traces the route that packets take to get to a remotehost. The remote host has been specified with an IP address or host name.

The following is an example of the syntax for the traceroute command:

traceroute [ ip-address | hostname ]

Example

traceroute 10.50.0.180

traceroute to 10.50.0.180 (10.50.0.180), 30 hops max, 38-byte packets

1 192.168.0.1 (192.168.0.1) 0.391 ms 0.132 ms 0.111 ms

2 10.50.2.1 (10.50.2.1) 0.838 ms 0.596 ms 0.589 ms

3 oldserver1.sygate.dev (10.50.0.180) 1.170 ms 0.363 ms 0.469 ms

UpdateThe update command updates the Enforcer software package from a tftp server,USB hard disk, or CD-ROM.

The following is an example of the syntax for the update command:

Enforcer:# update


238

Capture commandsCommands in the Enforcer appliance capture command group allow you to capturepackets on the Enforcer appliance NICs. The packets are saved to a file. Additionalcommands allow you to send the file in plain or compressed format to a client byvarious file-transfer protocols (tftp). The Enforcer appliance must be connectedto the client by using the serial cable that is provided.

All commands in this group are listed and described except the capture exit andthe capture help commands. The capture exit command exits the commandgroup. The capture help commands displays help information on all thecommands in the group.

Capture CompressThe capture compress command compresses the file

The capture compress command uses the following syntax:

compress {on | off}

where:

Enables compressions.on

Disables compressions.off

The following example describes the syntax for the filter compress on commandon the console of an Enforcer appliance:

Enforcer# capture

Enforcer(capture)# compress on

Capture FilterThe capture filter command sets a filter that specifies which packets are captured.

The capture filter command uses the following syntax:

filter [auth] [spm] [failover] [all] [client ip-range]

where:

Enforcer:

239Enforcer appliance command-line interface referenceCapture commands

Captures the authentication packets that are sent among theclient, Enforcer appliance, and the Symantec Endpoint ProtectionManager

The default argument is auth.

auth

Captures the communication packets between the SymantecEndpoint Protection Manager and an Enforcer; capture anEnforcer profile by downloading from the Symantec EndpointProtection Manager and log uploading packets

spm

Captures the Enforcer failover packets (sent out periodically tosearch for another Enforcer on the network). Failover is notaccessible with failopen card installed.

failover

Captures all the packets that are specifiedall

This option is only available with the Gateway and DHCPEnforcers.

Sets the client IP range for capturing authentication packets onGateway and LAN Enforcers only. The ip-range can be acombination of IP addresses, IP range, and subnet/mask. A commawith no spaces separates the arguments. You can format it asfollows:

■ IP address is formatted as nnn.nnn.nnn.nnn

■ IP range is formatted as nnn.nnn.nnn.nnn-nnn.nnn.nnn.nnn

■ Subnet/mask is formatted asnnn.nnn.nnn.nnn/nnn.nnn.nnn.nnn

clientip-range

The following example describes the syntax for the capture filter command:

Enforcer# capture filter auth client

192.168.0.1,192.168.0.10-192.168.0.100,192.168.1.1/255.255.255.0

This command filters all authentication packets for clients with the IP address192.168.0.1. It filters the clients whose IP address is in the range 192.168.0.10 to192.168.0.100, and clients in the subnet 192.168.1.1 with a netmask of255.255.255.0.

Capture ShowThe capture show command displays the capture configuration and lists the filesthat are captured.

The capture show command uses the following syntax:

Enforcer appliance command-line interface referenceCapture commands

240

show {compress | files | filter | verbose | ymodem}

where:

Shows if file compression is on or offcompress

Shows all captured files in the Enforcer appliance’s capture folderfiles

Shows the current filter configurationfilter

Shows the current verbose configurationverbose

Shows the Ymodem protocol option settingsymodem

Example:

capture show

Capture Filter: auth

Client IP Range:

Capture Verbose is ON.

Compress capture files before sending is ON.

YMODEM protocol option is YMODEM-g.

Capture StartThe capture start command starts packet capture. To stop, press Esc

The capture start command uses the following syntax:

capture [start]

Example

Enforcer# capture

Enforcer(capture)# start

Captured packets are saved to /opt/GatewayEnforcer/bin/../capture/

Dec-07-200

5-12-24-23.cap.

Press ESC to stop capture...

0 0.000000 192.168.0.25 -> 192.168.0.211 UDP Heartbeat Ver 5.1.1915

Start Session to Agent. SEQ: 0f495cd8.

241Enforcer appliance command-line interface referenceCapture commands

1 0.000000 192.168.0.25 -> 192.168.0.64 UDP RADIUS Access Request.

ID 64 192.168.0.211 Query Status

2 0.000000 192.168.0.211 -> 192.168.0.25 UDP Heartbeat Ver 5.0.0

Keep Alive to Enforcer. SEQ: 0f495cd8. HI Disabled.

Profile 85E0-10/20/2005 11:30:00 812.

Host Integrity check is disabled. Host Integrity policy is disabled by

administrator.

3 0.000000 192.168.0.64 -> 192.168.0.25 UDP RADIUS Access Accept. ID 64

192.168.0.211 Profile 85E0-10/20/2005 11:30:00 812

4 packets were captured.

Captured packets were saved to /opt/GatewayEnforcer/bin/../capture/

Mar-07-2006-1

2-24-23.cap.

Capture UploadThe capture upload command uses the tftp protocol to send a file or files.

The capture upload command uses the following syntax:

capture upload {tftp://nnn.nnn.nnn.nnn filename}

Example:

Enforcer# capture

Enforcer(capture)# upload tftp://10.200.38.221 test.tar.gz

Capture VerboseThe capture verbose command enables or disables the display of packet detailswhile the capture occurs.

The capture verbose command uses the following syntax:

verbose {on | off}

where:

Displays packet detailson

Enforcer appliance command-line interface referenceCapture commands

242

Does not display packet detailsoff

Configure commandsCommands in the Enforcer appliance CLI configure group allow you to view andconfigure the network interface settings and the connection to the SymantecEndpoint Protection Manager.

All commands in this group are listed and described except for the exit and help

commands. The exit command exits the command group. The help commanddisplays help information on individual commands in the group.

The configure group contains a command called advanced that gives access to aset of advanced configuration options.


Configure advanced commandsCommands in the Enforcer appliance CLI advanced group are part of the configuregroup. They enable you to configure Enforcer advanced configuration settings.

All the commands in this group are described except the exit and help commands.The exit command exits the command group. The help command displays helpinformation on the individual commands in the group.

Advanced CATOSThe advanced CATOS command enables or disables Cisco CATOS support .

The advanced catos command uses the following syntax (LAN Enforcer):

advanced catos {enable | disable}

Advanced check-uidThe advanced check-uid command enables or disables UID checking for legacyagents.

The advanced check-uid command uses the following syntax (Gateway and DHCPEnforcer):

advanced check-uid {enable | disable}

243Enforcer appliance command-line interface referenceConfigure commands

Advanced DNS spoofingThe advanced DNSspoofing command configures a DNS spoofing IP address andenables or disables it in the DHCP Enforcer. Disabling deletes the DNS spoofingIP address and disables it in the DHCP Enforcer.

The advanced dnsspoofing command uses the following syntax (DHCP Enforcer):

advanced dnsspoofing enable ip ip address | disable

Advanced failoverThe advanced failover command enables or disables Enforcer appliance failoverand configures the failover port and sensitivity level.

This command is not accessible if Failopen is enabled.

The advanced failover command uses the following syntax (Gateway or DHCPEnforcer appliances):

advanced failover disable | {enable [port <port-number>] [sensitive

<sensitive-level>]}

where:

Disables the Enforcer appliance failoverdisable

Enables the Enforcer appliance failover

The default setting is enable.

enable

Specifies an Enforcer failover port number from 1 to 65535port portnumber

Specifies an Enforcer appliance failover sensitivity level from 0 to 4to indicate how often to check for other Enforcers

sensitive sensitivylevel

Gateway and DHCP Enforcers appliances have the following default configurationsettings:

■ Failover is enabled.

■ The UDP port that the failover Enforcers use to communicate with each otheris 39999.

■ The default failover sensitivity level is High (less than 5 seconds).This setting determines how quickly the standby Enforcer appliance becomesthe primary Enforcer appliance if it detects that the primary Enforcer hasbecome disabled. The higher the level that is specified, the shorter the delaybefore the standby Enforcer appliance takes over. At the same time moreoverhead is introduced in both networking and CPU processing.

Enforcer appliance command-line interface referenceConfigure commands

244

The following levels are available:

Fewer than 2 secondsVery High (0)

Fewer than 5 secondsHigh (1)

Fewer than 10 secondsMedium (2)

Fewer than 15 secondsLow (3)

Fewer than 30 secondsVery low (4)

Advanced legacyThe advanced legacy command enables or disables support for legacy agents.Legacy agent support is enabled by default.

Legacy agents refers to Agents that run pre-5.x Sygate Security Agent software.For LAN Enforcer appliances, legacy agent represents Sygate Security Agentsthat run version 4.1 and later.

Legacy agent represents Sygate Security Agents that run version 3.5 or 4.x anddo not include versions 2.x, 3.0, and 3.1.

Note: Support for legacy agents applies only to DHCP or Gateway Enforcerappliances.

The advanced legacy command uses the following syntax:

advanced legacy {allow | block}

where:

Allows the legacy agents

The default setting is allow.

allow

Block legacy agentsblock

You can use Enforcer appliances on the sites that run earlier (legacy) versions ofagents. If you allow legacy agents, the Enforcer appliance confirms that the legacyagent runs and then verifies the results of the Host Integrity check. If the agentpasses the Host Integrity check, the agent can connect to the network. For legacyagents, the Enforcer appliance does not check the agent identifier to verify thatit is a valid agent. It also does not check its profile serial number to confirm thatits policies are up-to-date.


Advanced legacy-uidThe advanced legacy-uid command specifies the legacy client GUID.

The advanced legacy-uid command uses the following syntax (Gateway and DHCPEnforcer appliances):

advanced legacy-uid uid-string

Advanced local-authThe advanced local-auth command enables or disables the Enforcer’sauthentication of the client. Use this command for troubleshooting.

Client authentication is disabled by default.

The advanced local-auth command uses the following syntax:

advanced local-auth {disable | enable}

where:

Verifies the client with the Symantec Endpoint Protection Managerand blocks the client if it is unable to connect to a Symantec EndpointProtection Manager.

The default setting for client authentication is enable.

Enable

Disables the verification of the client and performs Host Integrityvalidation only.

Disable

By default, the Gateway Enforcer appliance verifies the unique identifier (UID) ofthe client with the Symantec Endpoint Protection Manager. If the Gateway Enforceris unable to connect with a Symantec Endpoint Protection Manager to verify theUID, it blocks the client. Although it is not recommended as a troubleshootingstep, you can stop the Gateway Enforcer appliance from verifying the UID.

By default, the Gateway Enforcer appliance verifies the UID. Instead, the GatewayEnforcer appliance only performs a Host Integrity validation check. Be sure tore-enable this setting if you want the Gateway Enforcer appliance to verify theUID.

Advanced RadiusThe advanced Radius command configures, enables, or disables Radius accountingproxy support.

The advanced radius command uses the following syntax (LAN Enforcer appliance):

advanced radius acc_proxy {enable | disable} | acc_port <1811-1813>


246

The following example describes the syntax for the advanced radius command(LAN Enforcer appliance):

Enforcer(advanced)# radius proxy {enable | disable}

Advanced Re-initializeThe advanced re-initialize command enables the switch to different Enforcertypes by re-initializing the Enforcer configuration. This command is not availableif you are logged into an SSH session.

The advanced re-initialize command uses the following syntax:

advanced re-initialize

Advanced Symantec Network Access Control Server ScannerThe advanced snacs command sets the IP address of the Symantec Network AccessControl scanner, port number, and pre-share key. You can use this command tore-enable the Symantec Network Access Control scanner if it has been disabled.

Note: Symantec Network Access Control Scanner does not support a printerconnection to a Symantec DHCP Enforcer appliance. Printers do not accept thestatic routes that are configured for a Symantec DHCP Enforcer appliance.Therefore, the Symantec Network Access Control Scanner cannot communicatewith a printer that is connected to a Symantec DHCP Enforcer appliance.

The advanced snacs command uses the following syntax (Gateway Enforcerappliance and DHCP Enforcer appliance):

advanced snacs enable | disable | set [ip <ipaddress>] [port <1811-1813>] [key <string>]

The following example describes the syntax for the advanced snacs command(Gateway Enforcer appliance and DHCP Enforcer appliance):

Enforcer(advanced)# snacs

disable disable snacs

set ip set ip IP address

set key set key string


Advanced ShowThe advanced show command shows the configuration settings for the Enforceradvanced commands.

The show command uses the following syntax:

show

Example:

Enforcer# configure advanced show

Failover Status: ENABLED

Failover Port: 39999

Failover Sensitivity Level: 1

Legacy Client: ALLOW

Local Authentication: ENABLED

Advanced User-classThe advanced user-class command enables or disables the user class IDSYGATE_ENF on the Enforcer appliance.

The advanced user_class command uses the following syntax (DHCP Enforcer):

advanced user_class {disable | enable}

where:

Disables the Enforcer appliance user class IDdisable

Disables the Enforcer appliance user class IDEnable

If you want to use one DHCP server as both the normal and quarantine DCHPserver, you must complete the following configuration steps:

■ After you install the Enforcer appliance, use the advanced user_class commandto enable the user class ID.After you enable the user class ID, the Enforcer appliance includes the userclass ID SYGATE_ENF in the DHCP request. The Enforcer appliance then sendsthe DHCP request to the DHCP server for the clients that require a quarantineconfiguration.

■ Add the SYGATE_ENF user class to the DHCP server and configure the DHCPserver. Consequently, when the DHCP server receives a request with the userclass ID SYGATE_ENF, it provides a quarantine IP address and networkconfiguration.


248

Advanced trunkingThe advanced trunking command configures the trunking feature.

The advanced trunking command uses the following syntax:

advanced trunking enable | disable |

chall-vlist <vlan-list> | nat-vid <vlan-id> |fail-vid

<vlan-id> | mgmt-vid <vlan-id>

where:

Specify the list of VLANs that GatewayEnforcer should challenge.

Format: n[-n][,n[-n]]... n:<1-4096> e.g.1,2,3-6,8,10-15

chall-vlist

Disable trunking featuredisable

Enable trunking featureenable

Specify where Gateway Enforcer should sendout or receive from those failover packets

fail-vid

Specify the management VLAN IDmgmt-vid

Specify the VLAN id of those non-taggedpackets

nat-vid

Configure DNSThe configure DNS command adds or deletes a Domain Name Service (DNS) serverentry. For example, you need to add a DNS entry if you want to specify a SymantecEndpoint Protection Manager with a host name.

The configure DNS command uses the following syntax:

configure {add | delete} <ipaddress>

where:

Enables you to add an IP address of a DNS server.add

Enables you to delete an IP address of a DNS server.delete

The following example describes how to add the IP address of a DNS server onthe console of an Enforcer appliance:


Enforcer#: configure

Enforcer(configure)# dns add 192.192.192.10

Configure InterfaceThe configure interface command starts or shuts down a network interface card(NIC). It also configures the IP address of a NIC or configures a NIC as a DHCPclient.

The configure interface command uses the following syntax:

configure interface up <nic-name> | down

<nic-name> | failopen | set <nic-name> ip

<ipaddress> [netmask <netmask>]

where:

Name of the NIC to start, such as eth0 or eth1.

eth0 or eth1 are case sensitive.

up nic-name

Name of the NIC to stop, such as eth0 or eth1.


down nic-name

Enables or disables the Bypass mode for thefail-open Ethernet card. If a Gateway Enforcerappliance that is configured as a gateway fails,the configuration enables the Bypass state on theGateway appliance.

failopen [enable | disable ]

Name of the NIC, such as eth0 or eth1, to beconfigured as a DHCP client.

The name is case sensitive.

set nic-name

Name of the NIC (eth0 or eth1, case sensitive) forwhich to configure a static IP address and subnetmask:

■ IP address IP address—IP address of the NIC

■ netmask netmask—Subnet mask of the NIC

set IP address IP address netmasknetmask

Name of the NIC, such as eth0 or eth1, that youcan configure as a gateway if you want toimplement a bypass mode.


set gateway IP address

Example:


250

configure interface set eth0 ip 10.0.0.1 netmask 255.0.0.0

This command sets the IP address of eth0 to 10.0.0.1 with a netmask of 255.0.0.0.Replace the IP address and netmask with the values that you want to use. Youmust configure a second NIC (eth1) for Gateway and DHCP Enforcer appliances.

Configure interface-roleThe configure interface-role command specifies the NIC that represents theinternal NIC.

You can also specify the external NIC (Gateway Enforcer appliance and DHCPEnforcer appliance only).

You can also specify the NIC that communicates with the Symantec EndpointProtection Manager (DHCP Enforcer appliance only).

The configure interface-role command uses the following syntax:

interface-role internal <nic-name> |

external <nic-name> | manager <nic-name(DHCP

Enforcer only)>

where:

Name, such as eth0 or eth1 of the NIC that connects to theinternal network. The name is case sensitive.

internal nic-name

Name, such as eth0 or eth1 of the NIC that connects to anexternal network. The name is case sensitive.

external nic-name

Name, such as eth0 or eth1 of the NIC that connects to theSymantec Endpoint Protection Manager. The name is casesensitive.

manager nic-name(DHCP Enforcer only)

Configure NTPThe configure ntp string command establishes communication between anEnforcer appliance and a Network Time Server by specifying an IP address, domainname, or web address.

The configure ntp enable or configure ntp disable command starts and stops thesynchronization of time between an Enforcer appliance and a Network TimeServer with the Network Time Protocol .

The configure ntp server command uses the following syntax:

ntp enable | disable | server <hostname>


where:

You can establish communication between an Enforcer applianceand a Network Time Server by specifying an IP address, domainname, or Web address.

ntp server <hostname>

You can start synchronizing time between an Enforcer applianceand a Network Time Server with the Network Time Protocol .

ntp enable

You can stop synchronizing time between an Enforcer applianceand a Network Time Server with the Network Time Protocol .

ntp disable

Configure RedirectThe configure redirect command specifies an HTTP redirect address when a clientis not installed on an endpoint. (Gateway Enforcer appliance only. Not applicableif a Symantec Endpoint Protection Manager is deployed in a network environment.)

The configure redirect command uses the following syntax:

configure redirect <url-string>

Configure RouteThe configure route command adds or deletes a route table entry. You canconfigure multiple entries.

The configure route command uses the following syntax:

configure route {add | delete} <ipaddress>

netmask <netmask> device <nic-name> [gateway <ipaddress>]

[metric <metric-number>]

where:

IP address and subnet mask of the entry to be added to the routetable

add <ipaddress>netmask <netmask>

IP address and subnet mask of the entry to be deleted from theroute table

delete <ipaddress>netmask <netmask>

Interface name (eth0 or eth1, case sensitive) of the entrydevice <nic-name>

IP address of the gateway for the entrygateway <ipaddress>

Metric of the entry, an integer from 1 to 32metric <metric-number>


252

The following example adds an entry in a route table with an IP address, a subnetmask, a NIC name, and a gateway IP address:

Enforcer# configure

Enforcer(configure)# route

Enforcer(route)# add 192.168.45.0 netmask 255.255.255.0 device

eth0 gateway 192.168.40.1

Configure ShowThe configure show command displays the current configuration of each commandin the configure group. If no argument is specified, all settings appear.

The configure show command uses the following syntax (Gateway or DHCPEnforcer appliance only):

configure dns | interface [<nic-name>] |

interface-role | ntp | redirect | route | spm

Configure SPMThe configure SPM command sets up the connection between the Enforcerappliance and the Symantec Endpoint Protection Manager.

You must type all values if you change any of the values. Any values that you donot specify automatically use default values.

The configure spm command uses the following syntax:

configure spm {[ip <ipaddress>] | [group

<group-name>] | [http <port-number>] | https

<port-number>] | [key <key-name>]} | [del key

<shared-key>]

where:

Enables you to add the IP address of the Symantec Endpoint ProtectionManager.

ip <ipaddress>

Delete shared secret key.del key<shared-key>

Enables you to specify a preferred group name for the Enforcerappliance. Therefore it is recommended that you assign a unique groupname to distinguish the Enforcer appliances on the console of theSymantec Endpoint Protection Manager.

group<group-name>


Enables you to specify the HTTP protocol and the port number tocommunicate with the Symantec Endpoint Protection Manager.

The default protocol is HTTP. The default port number for the HTTPprotocol is 80.

http<port-number>

Enables you to specify the HTTPS protocol and the port number tocommunicate with the Symantec Endpoint Protection Manager. Youshould only use this command if the Symantec Endpoint ProtectionManager has been set up to use HTTPS protocol.

The default port number for the HTTPS protocol is 443.

https<port-number>

Enables you to specify the encrypted password that is required if theSymantec Endpoint Protection Manager has been installed with one.

key <key-name>

The following example describes how to configure an Enforcer appliance tocommunicate with the Symantec Endpoint Protection Manager at IP address192.168.0.64 in an Enforcer group called CorpAppliance. It uses HTTP protocolon port 80 with an encrypted password of “security.”

configure spm ip 192.168.0.64 group CorpAppliance http 80 key security

Console commandsCommands in the Enforcer appliance CLI console group allow you to configureconsole settings.

All the commands in this group are listed and described except for the exit andhelp commands. Theexit command exits the command group. Thehelp commanddisplays help information on individual commands in the group.

Console Baud-rateThe console baud-rate command specifies the baud rate that the console uses tocommunicate with a client by the serial port. The baud rate that is set on theEnforcer appliance should match the baud rate that is set for this communicationconnection on the client.

The default baud rate is 9600.

The console baud-rate command uses the following syntax:

console baud-rate {9600 | 19200 | 38400 | 57600 | 115200}

Enforcer appliance command-line interface referenceConsole commands

254

Console SSHThe console SSH command starts or stops SSH remote logon service. Thiscommand also specifies whether to start ssh service when computer starts.

The console ssh command uses the following syntax:

console ssh {start | stop} {off | on}

Console SSHKEYThe console sshkey command sets and deletes the public key for ssh remote logonwithout a password.

The console sshkey command uses the following syntax:

console sshkey set | delete

Example:

Enforcer(console)# sshkey set

Enforcer(console)# sshkey delete

Console ShowThe console show command shows the console configuration settings.

The console show command uses the following syntax:

show

The following is an example of the syntax for the console show command:

Enforcer# console show

Serial Port Number: 1

Baud Rate: 9600

Flow Control: NONE

Console Width: 80

Console Height: 24

Debug CommandsCommands in this group allow the user to configure Enforcer debug settings andtransfer debug files in plain or compressed form.

255Enforcer appliance command-line interface referenceDebug Commands

All the commands in this group are listed except the exit and help commands.The exit command exits the command group. The helpdisplays help informationon individual commands in the group.

Debug DestinationThe debug destination command configures where an Enforcer appliance canstore debug files.

The debug destination command uses the following syntax:

destination {both | disk | memory}

where:

Stores debug files both in memory and on disk

The default setting is both

Both

Stores debug files on hard disk onlyDisk

Stores debug files in memory onlyMemory

Debug LevelThe debug level command configures the level of debug information that theEnforcer stores.

The debug level command uses the following syntax:

level {disabled | fatal | error | information | support | engineer}

where:

Does not save debug informationdisabled

Enables debug and set level to FATAL (save fatal debug messages only)fatal

Enables debug and set level to ERROR (save fatal and error debugmessages)

The default argument is set to error.

error

Enables debug and set level to INFORMATION (save fatal, error, andinformation debug messages)

information

Enables debug and set level to SUPPORT (save fatal, error, information,and support debug messages)

support

Enforcer appliance command-line interface referenceDebug Commands

256

Enables debug and set level to ENGINEER (save all debug messages)engineer

Debug ShowThe debug show command shows the configuration of debug settings.

The debug show command uses the following syntax:

show [compress | destination | file |

files | kernel | kernel live |

level | user | user live | ymodem]

where:

Shows if compress is oncompress

Shows debug destinationdestination

Shows specified debug file namefile

Lists all debug filesfiles

Shows the kernel debug filekernel

Shows the kernel debug file with live updatekernel_live

Shows the user debug fileuser

Shows the user debug file with live updateuser_live

Displays the ymodem protocol settingymodem

Debug UploadThe debug upload command uses the tftp protocol to transfer a debug file froman Enforcer appliance to a remote host.

The debug upload command uses the following syntax:

debug upload tftp <ipaddress> filename <filename>

Example:

Enforcer# debug upload tftp 10.200.39.251 filename debug_file

257Enforcer appliance command-line interface referenceDebug Commands

MAB commandsThe mab commands enable you to implement a Media Access Control (MAC)Authentication Bypass (MAB) with a LAN Enforcer appliance on the following802.1x-aware switches:

■ Cisco Catalyst Switch 3550 Series

■ Extreme Networks

■ Hewlett-Packard ProCurve Switch 2600 Series


When a LAN Enforcer appliance receives a MAB request, it looks up the addressin the local MAB database first. If the entry is located in the local MAB database,the LAN Enforcer appliance authenticates the client based on 802.1x-aware switchmodel. If an entry cannot be located in the local MAB database, the LAN Enforcerappliance then tries to connect to any available LDAP server.

If an LDAP server is not available to authenticate a client's MAC address or aclient's MAC address is not available in the database of the LDAP server, the LANEnforcer appliance then tries to connect to any available RADIUS server. Afterthe LAN Enforcer appliance receives the authentication result, it then sends amessage to the RADIUS server to accept or reject the packet. The LAN Enforcerappliance then completes the authentication session.

MAB database commandsThe MAB database commands provide access to all commands that add and managelocal MAB database entries on a LAN enforcer appliance.

MAB database add commandIf you enable MAB, you must add the MAC addresses of all designated MAB clientcomputers to a local database on the LAN Enforcer appliance.

If you want to execute this command, you must be logged on as a superuser.

The mab database command uses the following syntax (LAN Enforcer applianceonly):

mab database {add string}

where string represents:

Enforcer appliance command-line interface referenceMAB commands

258

Adds one or more MAC addresses into the local MAB databaseon a LAN Enforcer appliance.

For example, 11:22:33:44:55:66

The delimitation inside a MAC address is represented by a colon.Multiple MAC addresses are separated by a comma and a space.

add MAC address, MACaddress

Adds one or more MAC address ranges into the local MABdatabase on a LAN Enforcer appliance.

For example, 11:22:33:44:55:66-11:22:44:55:66:77

The delimitation inside a MAC address is represented by a colon.The starting and ending MAC addresses for a range are separatedby a hyphen. Multiple MAC address ranges are separated by acomma and a space.

add MAC address nx -MAC address ny, MACaddress na - MACaddress nb

Adds one or more MAC addresses and MAC address masks intothe local MAB database on a LAN Enforcer appliance.

For example, 11:00:00:00:00:00/ff:00:00:00:00:00.

The delimitation inside a MAC address is represented by a colon.The MAC address ranges and MAC address mask are separatedby a forward slash. The MAC address mask must be inhexadecimal format. Multiple sets of MAC addresses and MACaddress masks are separated by a comma and a space.

add MAC address/MACmask, MACaddress/MACmask

MAB database clean commandThe MAB database clean command clears all of the MAC entries from the localMAB database on a LAN Enforcer appliance.

You can only remove entries in the local MAB database on a LAN Enforcerappliance if the following conditions have previously been met:

■ MAB was enabled.

■ MAB entries were added to the local MAB database.

The mab database clean command uses the following syntax (LAN Enforcerappliance only):

mab database clean

The following example explains how to remove existing entries from a local MABdatabase on a LAN Enforcer appliance:

Enforcer:# mab

Enforcer(mab):# database clean

259Enforcer appliance command-line interface referenceMAB commands

MAB database download commandThe MAB database download command enables you to download all MAB entriesfrom a TFTP server to the local MAB database on a LAN Enforcer appliance.

The mab database download command uses the following syntax (LAN Enforcerappliance only):

mab database download filename ip ip address}

where:

Represents the name of the file that includes all of the MAB entriesthat the tftp server downloads to the LAN Enforcer appliance.

filename

Represents the IP address of a location, such as a tftp server, fromwhich to download the MAB database to the LAN Enforcer appliance.

For example, tftp://nnn.nnn.nnn.nnn

ip

The following example explains how to copy a file that includes MAC addressesfor clients from a location, such as a TFTP server, to a local MAB database on aLAN Enforcer appliance:

debug download mab_database_file tftp://192.192.192.10

MAB database upload commandThe MAB database upload command enables you to copy all MAB entries from aLAN Enforcer appliance to a location, such as a TFTP server.

The mab database upload command uses the following syntax (LAN Enforcerappliance only):

mab database upload filename ip ip address}

The following example explains how to download a file that includes MACaddresses for clients from a local MAB database on a LAN Enforcer appliance toa location, such as a TFTP server:

Enforcer: mab

Enforcer(mab): upload mab_database_file tftp://192.192.192.10

MAB disable commandThe MAB disable command disables MAC Authentication Bypass (MAB) on a LANEnforcer appliance.


260

The mab disable command uses the following syntax (LAN Enforcer applianceonly):

mab disable

The following example explains how to disable MAC Authentication Bypass (MAB)on a LAN Enforcer appliance:

Enforcer: mab

Enforcer(mab)#disable

MAB enable commandThe MAB enable command enables MAC Authentication Bypass (MAB) on a LANEnforcer appliances.

The mab enable command uses the following syntax (LAN Enforcer applianceonly):

mab enable

The following example explains how to enable MAC Authentication Bypass (MAB)on a LAN Enforcer appliance:

Enforcer: mab

Enforcer(mab)#enable

MAB LDAP commandsThe MAB LDAP commands establish communication between a LAN Enforcerappliance and a LDAP server. After you establish communication between thesetwo devices, you can enable MAC Authentication Bypass (MAB) to authenticateclients by using the database on an LDAP server instead of the local MAB databaseon a LAN Enforcer appliance.

MAB LDAP disable commandThe MAB LDAP disable command disables MAC Authentication Bypass (MAB) ona LDAP server instead of a LAN Enforcer appliance.

The mab LDAP disable command uses the following syntax (LAN Enforcerappliance only):

mab ldap disable

The following example explains how to disable MAC Authentication Bypass (MAB)on a LDAP server instead of a LAN Enforcer appliance:


Enforcer:# mab

Enforcer(mab):# ldap disable

MAB LDAP enable commandThe MAB LDAP enable command disables MAC Authentication Bypass (MAB) ona LDAP server instead of a LAN Enforcer appliance.

The mab LDAP enable command uses the following syntax (LAN Enforcer applianceonly):

mab ldap enable

The following example explains how to disable MAC Authentication Bypass (MAB)on a LDAP server instead of a LAN Enforcer appliance:

Enforcer:# mab

Enforcer(mab):# ldap enable

MAB LDAP host commandThe mab ldap host command specifies the host name of a LDAP server if you planto authenticate clients by using MAC Authentication Bypass (MAB) on a LDAPserver instead of a LAN Enforcer appliance.

The mab ldap host command uses the following syntax (LAN Enforcer applianceonly):

mab ldap host string

where:

string represents the host name of a designated LDAP server with which the LANEnforcer appliances must establish a connection.

The following example explains how to specify the host name for a LDAP serverif you plan to authenticate clients by using MAC Authentication Bypass (MAB) ona LDAP server instead of a LAN Enforcer appliance:

Enforcer: mab

Enforcer(mab): ldap host www.symantec.com

MAB LDAP password commandThe mab ldap password command specifies the password on a LDAP server if youplan to authenticate clients by using MAC Authentication Bypass (MAB) on a LDAPserver instead of a LAN Enforcer appliance.


262

The mab ldap password command uses the following syntax (LAN Enforcerappliance only):

mab ldap password string

where:

string represents the password that enables the LAN Enforcer appliance to connectto a designated LDAP server.

The following example explains how to specify the password for a LDAP serverif you plan to authenticate clients by using MAC Authentication Bypass (MAB) ona LDAP server instead of a LAN Enforcer appliance:

Enforcer: mab

Enforcer(mab): ldap password symantec

MAB LDAP port commandThe mab ldap port command specifies the port number on a LDAP server if youplan to authenticate clients by using MAC Authentication Bypass (MAB) on a LDAPserver instead of a LAN Enforcer appliance.

The mab ldap port command uses the following syntax (LAN Enforcer applianceonly):

ldap enable | disable | host <hostname> |

password <string> | port <number>

where:

Disable Enforcer MAB LDAP lookup featuredisable

Enable Enforcer MAB LDAP lookup featureenable

Configure the host of the LDAP serverhost

Configure the key to access the LDAP serverpassword

Configure the port of the LDAP serverport

The following example explains how to specify the port number on a LDAP serverif you plan to authenticate clients by using MAC Authentication Bypass (MAB) ona LDAP server instead of a LAN Enforcer appliance:

Enforcer: mab

Enforcer(mab): ldap port 45298


MAB show commandThe mab show command enables you to display the following information:

■ Whether the MAC authentication bypass is enabled or disabled.

■ Whether lookup in the MAC LDAP database on the LDAP server is enabled ordisabled.

■ Host name of a LDAP server

■ Port number of a LDAP server

■ Password for a LDAP server

The mab show command uses the following syntax:

show [ldap]

where:

Show LDAP server configurationldap

Enforcer(mab)# show

MAC Address Bypass: Disable

MAC LDAP lookup: Disable

LDAP server host: www.symantec.com

LDAP server port: 1283

LDAP server password: symantec

Monitor commandsThe monitor command enables you to display the following information about amanaged or unmanaged client:

■ IP address

■ Host name

■ User name (Gateway Enforcer only)

■ Policy ID

■ MAC address (DHCP Enforcer only)

If you want to execute any of the commands in the monitor group, you must belogged on as a superuser.

Enforcer appliance command-line interface referenceMonitor commands

264

Monitor refresh commandThe monitor refresh command updates information about the client (Gatewayand DHCP Enforcer appliances only).


The monitor refresh command uses the following syntax:

monitor refresh

Monitor show commandThe monitor show command enables you to display different types of information.The default is to show all monitor information that is available.

Monitor show blocked-hosts commandThe monitor show blocked-hosts command displays a blocked client's IP address,host name, username, client profile, required profile, blocked status, host integritystatus (Gateway Enforcer appliance only). A blocked client includes informationabout managed users and connected clients.

This command displays a blocked client's a blocked client's IP address, host name,username, MAC address, client profile, required profile, blocked status, hostintegrity status (DHPC Enforcer appliance only).


The monitor show blocked-hosts command uses the following syntax (Gatewayand DHCP Enforcer appliances only):

monitor [show blocked-hosts {all | ip <ipaddress>}]

where:

Displays all blocked clients' IP addresses, host names, user names, clientprofiles, required profiles, blocked status, host integrity status onGateway and DHCP Enforcers. In addition, all blocked clients' MACaddresses appear on a DHCP Enforcer.

all

Displays a blocked client's IP address, host name, username, clientprofile, required profile, blocked status, host integrity status on Gatewayand DHCP Enforcers. In addition, a blocked client's MAC address appearson a DHCP Enforcer.

ip <ipaddress>

The following example provides information about a blocked client's status on aGateway Enforcer:

265Enforcer appliance command-line interface referenceMonitor commands

monitor

show blocked-hosts ip 100.0.0.242

Authentication blocked host statistics

IP address: 100.0.0.242

Hostname: SNA-7D7911D97BA

Username: guest

Client Profile: Valid-DB1B 12/29/2007 12:35:00

Required Profile: Valid-DB1B 12/29/2007 12:35:00

Blocked: Host Integrity or Policy check failed

HI status: Host Integrity check failed.

The following example provides information about a blocked client's status on aDHCP Enforcer:

monitor

show blocked-hosts ip 100.0.0.242

Authentication blocked host statistics

IP address: 100.0.0.242


Username: guest

MAC address: 0-12-3f-10-a5-99



Blocked: Host Integrity or Policy check failed

HI status: Host Integrity check failed.

Monitor show connected-guests commandsThe monitor show connected-guests command displays a connected guest's oron-demand client's IP address, host name, username, and policy ID (GatewayEnforcer only). In addition, this command displays a noncompliant client's MACaddress for a DHCP Enforcer.

A connected guest or an on-demand client supports the Symantec Network AccessControl client software on both the Windows and Macintosh platforms. Theconnected guest or an on-demand client must have been authenticated or set upas a trusted client on the Symantec Endpoint Protection Manager. Otherwise, themonitor show connected-guests command does not display any information aboutthe on-demand clients.


Enforcer appliance command-line interface referenceMonitor commands

266

The monitor show connected-guests command uses the following syntax(GatewayEnforcer appliance and DHCP Enforcer appliance):

monitor [show connected-guests { all | ip

<ipaddress>}]

where:

Displays all blocked clients' IP addresses, host names, user names, clientprofiles, required profiles, connected status, host integrity status onGateway and DHCP Enforcers. In addition, all blocked clients' MACaddresses appear on a DHCP Enforcer.

all

Displays a blocked client's IP address, host name, username, clientprofile, required profile, connected status, host integrity status onGateway and DHCP Enforcers. In addition, a blocked client's MAC addressappears on a DHCP Enforcer.

ip <ipaddress>

The following example provides information about a blocked client's status on aGateway Enforcer:

monitor

show connected-guests ip 100.0.0.242

Authentication connected guests statistics

IP address: 100.0.0.242


Username: guest



Connected: Authenticated

HI status: Host Integrity check passed.

The following example provides information about a blocked client's status on aDHCP Enforcer:

monitor

show connected-guests ip 100.0.0.242

Authentication connected guests statistics

IP address: 100.0.0.242


Username: guest

MAC address: 0-12-3f-10-a5-99



267Enforcer appliance command-line interface referenceMonitor commands

Connected: Authenticated

HI status: Host Integrity check passed.

Monitor show connected-users commandThe monitor show connected-users command displays a connected user's or amanaged client's IP address, host name, username, and policy ID (Gateway Enforcerappliance only). In addition, this command displays a connected user's or amanaged client's MAC address for a DHCP Enforcer.

A connected user or a managed client supports Symantec Endpoint Protectionclient software and Symantec Network Access Control client software. Theconnected user or managed client must have been authenticated or the monitorshow connected-users command does not display any information about the client.

You must be logged on a Gateway or DHCP Enforcer appliance console as asuperuser before can execute this command.

The monitor show connected-users command uses the following syntax (GatewayEnforcer appliance and DHCP Enforcer appliance):

monitor [show connected-user {all|ip <ipaddress>}]

where:

Displays all connected clients' IP addresses, host names, and policy IDs(GatewayEnforcer appliance and DHCP Enforcer appliance). Allnoncompliant clients' MAC addresses are also displayed (DHCP Enforcerappliance only).

all

Displays a connected client's IP address, host name, and policy ID(GatewayEnforcer appliance and DHCP Enforcer appliance). Anoncompliant client's MAC address is also displayed (DHCP Enforcerappliance only).

ip <ipaddress>

SNMP commandsThe following SNMP commands allow you to work with Simple NetworkManagement Protocol.

SNMP disable commandAllows you to disable the Simple Network Management Protocol feature.

The SNMP disable command uses the following syntax:

Enforcer appliance command-line interface referenceSNMP commands

268

snmp disable

The following example shows how to disable SNMP:

Enforcer(snmp)#disable

SNMP enable commandAllows you to enable the Simple Network Management Protocol feature.

The SNMP enable command uses the following syntax:

snmp enable

The following example shows how to enable SNMP:

Enforcer(snmp)#enable

SNMP heartbeat commandAllows you to set the heartbeat for the Simple Network Management Protocolfeature.

The SNMP heartbeat command uses the following syntax:

heartbeat <seconds>

where:

The seconds represent time, ranging from 30 to 86400.

The default number of seconds is 30.

The following example shows how to set the heartbeat for SNMP to 100 seconds:

Enforcer(snmp)#heartbeat 100

SNMP receiver commandAllows you to add or delete an SNMP receiver.

The SNMP receiver command uses the following syntax:

receiver {add <hostname>[:<port>] | delete <hostname>[:<port>]

where:

Add an SNMP receiver in the format<host[:port]>

add

269Enforcer appliance command-line interface referenceSNMP commands

Delete an SNMP receiver in the format<host[:port]>

delete

The following example shows how to add or delete an SMTP receiver:

Enforcer(snmp)# receiver add abc

Enforcer(snmp)# receiver delete abc

SNMP show commandShow the configuration and the status of SNMP.

The SNMP show command uses the following syntax:

show configure | status

The following examples demonstrate how to use the show command:

Enforcer(snmp)#show configure

SNMP Trap : ENABLED

Heartbeat : 30 second(s)

Timeout : 1 second(s)

Retry : 0 time(s)

Trap Receiver : abc:162

Enforcer(snmp)#show status

CPU usage 3%

Memory usage 97%

lo rec/trans:9386498/9386498 byte

eth0 rec/trans:704234599/288693960 byte

eth1 rec/trans:228648902/179921169 byte

Connected to Symantec Endpoint Protection Manager

SNMP trap commandAllows you to set SNMP try times and timeout value.

The SNMP trap command uses the following syntax:

trap retry <times> | timeout <seconds>

where:

Number of times to retryretry

Enforcer appliance command-line interface referenceSNMP commands

270

Timeout setting in secondstimeout

The following example shows how to set SNMP try times and timeout value:

Enforcer(snmp)# trap retry 3

Enforcer(snmp)# trap timeout 3

On-Demand commandsThe on-demand commands in the Enforcer appliance CLI enable you to configurethe automatic downloading of the Symantec Network Access Control On-Demandclient on the Windows and Macintosh platforms. You can only execute theon-demand commands on a Gateway Enforcer and a DHCP Enforcer appliance.

All the commands in this group are described except the exit and help commands.The exit command exits the command group. The help command displays helpinformation on the individual commands in the group.

On-Demand authentication commandsMost enterprises may want to set up authentication for Symantec Network AccessControl On-Demand clients.

If you want to authenticate Symantec Network Access Control On-Demand clientson the Windows and Macintosh platforms, you can use any of the following typesof databases:

■ Local database that is resident on a Gateway or a DHCP Enforcer appliance.If you do not support an Active Directory server in a network environment,you can use the local on-board database to add user names and passwords forindividual users.

■ Active Directory serverYou must connect to a Microsoft Windows Server 2003 Active Directory.

Table 11-3 provides information about the on-demand authentication command.

Table 11-3 On-demand authentication arguments

DescriptionCommand

Enables authentication through the use of an Active Directory serverinstead of the on-board local database on a Gateway and DHCP Enforcerappliance.

See “On-demand authentication ad commands” on page 272.

ad

271Enforcer appliance command-line interface referenceOn-Demand commands

Table 11-3 On-demand authentication arguments (continued)

DescriptionCommand

Enables authentication of the Symantec Network Access ControlOn-Demand clients on the Gateway and DHCP Enforcer appliances. Ifyou enable authentication on the Enforcer, an end user must pass theauthentication (input correct username and password)beforedownloading of the Symantec Network Access Control On-Demandclients.

See “On-demand authentication enable command” on page 274.

enable

Disables authentication of the Symantec Network Access ControlOn-Demand clients on the Gateway and DHCP Enforcer. End users cantrigger the automatic downloading of the Symantec Network AccessControl On-Demand clients on a client computer without authentication.

See “On-demand authentication disable command” on page 274.

disable

Enables authentication through the use of the on-board local databaseinstead of an Active Directory server on the Gateway and DHCP Enforcerappliance.


local-db

Lists the status information about the different options and argumentsof the authentication command.

show

Upload authentication-related files to a server.upload

On-demand authentication ad commandsIf an enterprise network supports a Microsoft Windows Server 2003 ActiveDirectory, you can authenticate users with an Active Directory server. Otherwiseyou must set up the on-board database to authenticate users.

On-demand authentication ad disable command

The on-demand authentication ad disable command uses the following syntax todisable the authentication of clients with a Microsoft Windows Server 2003 ActiveDirectory:

You must be logged on to the console of a Gateway or a DHCP Enforcer applianceas a superuser before you can execute this command.


on-demand authentication ad disable

Enforcer appliance command-line interface referenceOn-Demand commands

272

The following example describes how to disable the authentiation for anOn-Demand Client with a Microsoft Windows Server 2003 Active Directory:

on-demand authentication ad disable

On-demand authentication ad domain command

The on-demand authentication ad domain command uses the following syntaxto specify the domain ID or the domain ID address of a Microsoft Windows Server2003 Active Directory:

on-demand authentication ad domain

<Active Directory Domain server name> |

<Active Directory Domain server IP address>

where:

Represents the domain name of a MicrosoftWindows Server 2003 Active Directory.

Active Directory Domain server name

Represents the domain IP address of aMicrosoft Windows Server 2003 ActiveDirectory.

Active Directory Domain server IP address

The following example describes how to specify the domain ID of a MicrosoftWindows Server 2003 Active Directory:

Enforcer# on-demand


Enforcer (authentication)# ad domain symantec.com

where:

symantec.com represents the domain name of the Microsoft Windows Server2003 Active Directory Server.

On-demand authentication ad enable command

The on-demand authentication ad enable command uses the following syntax forenabling the authentication of end users with a Microsoft Windows Server 2003Active Directory:

on-demand authentication ad enable

The following example describes how to enable authentiation for an On-DemandClient with a Microsoft Windows Server 2003 Active Directory:


Enforcer# on-demand


Enforcer (authentication)# ad enable

On-demand authentication disable commandYou can stop the authentication process—the auth-daemon—on the console of aGateway or DHCP appliance for a Symantec Network Access Control On-Demandclient.

The on-demand authentication disable command uses the following syntax:

on-demand authentication disable

You must be logged on a Gateway or DHCP Enforcer appliance console as asuperuser before you can execute this command.


The following example describes how to disable authentication for a SymantecNetwork Access Control On-Demand client on the console of a Gateway or DHCPEnforcer appliance:

Enforcer# on-demand

Enforcer (on-demand)# authentication disable

On-demand authentication enable commandYou can start the authentication process—the auth-daemon—on the console of aGateway or DHCP appliance for a Symantec Network Access Control On-Demandclient.

The on-demand authentication enable command uses the following syntax:

on-demand authentication enable



The following example describes how to enable authentication for a SymantecNetwork Access Control On-Demand client on the console of a Gateway or DHCPEnforcer appliance:

Enforcer# on-demand

Enforcer (on-demand)# authentication enable


274

On-Demand authentication local-db commandsIf an enterprise network does not support a Microsoft Windows Server 2003 ActiveDirectory, you must authenticate users with the on-board database that you canset up on a Gateway Enforcer appliance or a DHCP Enforcer appliance.

On-Demand authentication local-db add command

If you must authenticate users with the on-board database, you must add useraccounts for each client on a Gateway Enforcer appliance or a DHCP Enforcerappliance.

See “Setting up authentication with a local on-board database” on page 199.

You must be logged on the console of a Gateway or a DHCP Enforcer appliance asa superuser before you can execute this command.


The on-demand local-db authentication add command uses the following syntaxto add a user account to the on-board database that you set up on a GatewayEnforcer appliance or a DHCP Enforcer appliance:

on-demand authentication local-db add user username

where:

username represent a user account that you can add to the on-board database.

The on-demand authentication local-db add user command uses the followingsyntax:

Enforcer# on-demand


Enforcer (authentication)# local-db add user jim

On-Demand authentication local-db disable command

The on-demand local-db authentication disable command uses the followingsyntax to disable the on-board database that you set up on a Gateway Enforcerappliance or a DHCP Enforcer appliance:

on-demand authentication local-db disable

The on-demand authentication local-db enable command uses the followingsyntax:

Enforcer# on-demand


Enforcer (authentication)# local-db disable


On-Demand authentication local-db enable command

The on-demand local-db authentication enable command uses the following syntaxto enable the on-board database that you can set up on a Gateway Enforcerappliance or a DHCP Enforcer appliance:

on-demand authentication local-db enable

The on-demand authentication local-db enable command uses the followingsyntax:

Enforcer# on-demand


Enforcer (authentication)# local-db enable

On-Demand authentication local-db username commands

The on-demand local-db authentication username commands allow you to add,delete, and edit usernames:

local-db add username <string> password <string>

local-db delete username <string>

local-db edit username <string> password <string>

local-db enable |disable | clear

where:

Create a new user account to the localdatabase

add

Clean up all user accounts from the localdatabase

clear

Remove an existing user from the localdatabase

delete

Disable the local database authenticationdisable

Modify an existing user accountedit

Enable local database authenticationenable

The following example describes how to configure local database authenticationfor a Symantec Network Access Control On-Demand client on the console of aGateway or DHCP Enforcer appliance:

Enforcer# on-demand

Enforcer(on-demand)#authentication

Enforcer(authentication)# local-db disable


276

Local database authentication is disabled.

Enforcer(authentication)# local-db enable

Local database authentication is enabled.

Enforcer(authentication)# local add username test password test

Enforcer(authentication)# local-db delete username test

Your action will delete the user account " test " permanently.

Please confirm. [Y/N]y

Enforcer(authentication)# local-db edit username test password b

Enforcer(authentication)# local-db clear

Notice that your action will remove ALL user account permanently!

Please confirm. [Y/N]y

On-Demand banner commandYou can edit the default banner on the Welcome page of the Symantec NetworkAccess Control On-Demand clients.



The on-demand banner command uses the following syntax :

Enforcer(on-demand)# banner

Type the new banner text that cannot exceed 1024

characters, and press Ctrl-D to end:

At the Enforcer appliance command prompt, replace the default banner text withwording of your choice.

The banner text cannot exceed 1024 characters.

On-Demand client-group commandThe On-Demand client-group command enables you to configure the name of anEnforcer group on the console of a Gatway or DHCP Enforcer appliance. You donot need to configure the name of the Enforcer on the Enforcer console if youhave already configured it on the console of the Symantec Endpoint ProtectionManager.


You must be logged on to the console of a Gateway or DHCP Enforcer applianceas a superuser before you can execute this command.

The on-demand client-group command uses the following syntax:

Enforcer# on-demand

Enforcer(on-demand)#client-group <groupname>enable|disable

The following example describes how to add the name of an Enforcer appliancegroup on the console of a Gateway or DHCP Enforcer appliance:

Enforcer# on-demand

Enforcer(on-demand)# client-group My Company/On-Demand

where:

name of group represents the Enforcer group name on the Symantec EndpointProtection Manager for a particular group of On-Demand Client computers.

On-Demand dot1x commandsYou must configure the dot1x command on the console of a Gateway or DHCPEnforcer appliance if the end user uses dot1x authentication in LAN environment

You must be logged on the console of a Gateway or DHCP Enforcer appliance asa superuser before you can execute this command.


On-Demand dot1x certificate commandsThe On-Demand dot1x certificate command provides access to a number ofcommands that enable you to:

■ Import and configures a root server certificate to authenticate an On-DemandClient with an 802.1x-aware switch.

■ Remove a root server certificate.

■ Display configuration criteria about the root server certificate.



The on-demand dot1x certificate command uses the following syntax:

on-demand dot1x certificate

{import| remove | show}


278

where:

Imports a root server certificate from a designated location.import

Removes a root server certificate for an 802.1x transport layer security(TLS) protocol .

remove

Displays the configuration parameters of a root server certificate foran 802.1x transport layer security (TLS) protocol .

show

The following example describes how to access the on-demand dot1x certificatecommand:

Enforcer# on-demand

Enforcer(on-demand)# dot1x

Enforcer(dot1x)# certificate

Enforcer(certificate)#

On-Demand dot1x certificate import

The on-demand dot1x certificate import command imports and configures a rootserver certificate to authenticate an On-Demand Client with an 802.1x-awareswitch.



The on-demand dot1x certificate import command uses the following syntax:

import tftp <ipaddress> username <string>

password <string> root-cert <string> user-cert <string>

where:

Represents the IP address of the computerfrom which the Enforcer appliance importsthe certificate.

import tftp <ipaddress>

Represents the password that you mustconfigure to connect to the TFTP server.

password <string>

Represents the user logon name that youmust use to log on to the On-Demand Clientcomputer.

username <string>

Represents the name of the user certificateto be imported.

user-cert <string>


Represents the name of the server certificateto be imported.

root-cert <string>

The following example describes how to import and configure a root servercertificate to authenticate an On-Demand Client with an 802.1x-aware switch:

Enforcer# on-demand



Enforcer(certificate)# import tftp:10.200.39.251

password symantec username janedoe user-cert name.pfx

root-cert name.cer

where:

Represents the computer from which the Enforcer applianceimports the certificate.

10.200.39.251

Represents the password that you must configure to connect tothe TFTP server.

password symantec

Represents the user logon name that you must use to log on tothe On-Demand Client computer.

username janedoe

Represents the name of the user certificate to be imported.user-cert name.pfx

Represents the name of the server certificate to be imported.root-cert name.cer

On-Demand dot1x certificate remove command

You can use the on-demand dot1x certificate remove command to delete the nameof a dot1x certificate.

The on-demand dot1x certificate remove command uses the following syntax:

on-demand dot1x certificate remove <string>

where:

string represents the name of the do1x certificate that you want to remove.

The following example describes how to remove a dot1x certificate with a filename called packagelist.

Enforcer# on-demand



Enforcer(certificate)# remove packagelist


280

Are you sure that you want to remove " packagelist "? [Y/N]

Y

On-Demand dot1x show certificate command

You can use the on-demand dot1x show certificate command to display informationabout the dot1x certificate.

The on-demand dot1x show certificate command uses the following syntax:

on-demand dot1x certificate show

The following example describes how to remove a dot1x show certificate.

Enforcer# on-demand



Enforcer(certificate)# show

Certificates: packagelist

On-Demand dot1x peap commandThe On-Demand dot1x peap command enables you to configure an 802.1x ProtectedExtensible Authentication Protocol (PEAP) to authenticate an On-Demand Clientinto the protected network.

You must log on to the console of a Gateway or DHCP Enforcer as a superuserbefore you configure this command.

The on-demand dot1x peap command uses the following syntax:

on-demand dot1x peap { cert-svr | fast-reconn| validate-svr | show }

The following example describes how configure an 802.1x PEAP protocol on theconsole of a Gateway or DHCP Enforcer appliance:

Enforcer# on-demand

Enforcer(on-demand)# dot1x peap

where:

peap specifies a Protected Extensible Authentication Protocol (PEAP) configurationas your On-Demand Client dot1x authentication protocol.

On-Demand dot1x peap validate-svr command

The On-Demand dot1x peap validate-svr command enables you to enable or disablethe validation of a root server certificate for an 802.1x Protected ExtensibleAuthentication Protocol (PEAP) protocol configuration.



The on-demand dot1x peap peap validate-svr command uses the following syntax:

on-demand dot1x peap validate-svr [enable | disable]

The following example describes how to enable the validation of a root servercertificate for the 802.1x PEAP protocol on the console of a Gateway or DHCPEnforcer appliance:

Enforcer# on-demand


Enforcer(dot1x)# peap validate-svr enable

where:

validate-svr enable sets the validation of a root server certificate for an 802.1xProtected Extensible Authentication Protocol (PEAP) configuration.

On-Demand dot1x peap cert-svr command

The On-Demand dot1x peap cert-svr command enables you to import and configurea root server certificate for an 802.1x Protected Extensible Authentication Protocol(PEAP) for On-Demand Client authentication.

You must be logged on the console of a Gateway or DHCP Enforcer as a superuserbefore you can execute this command.

The on-demand dot1x peap cert-svr command uses the following syntax:

Enforcer# on-demand

Enforcer(on-demand)# dot1x peap cert-svr

The following example describes how to import and configure a certificate for the802.1x PEAP protocol on the console of a Gateway or DHCP Enforcer appliance:

Enforcer# on-demand

Enforcer(on-demand)# dot1x peap cert-svr

Enforcer(peap)# cert-svr host snac

Enforcer(peap)# cert-svr disable

Enforcer(peap)# cert-svr enable

where:

Disable PEAP certificate serverdisable

Enable PEAP certificate serverenable


282

Set PEAP certificate server's hostnamehost

On-Demand dot1x peap fast-reconn command

The On-Demand dot1x peap fastreconn command allows you to enable or disablefast reconnection of a 802.1x Protected Extensible Authentication Protocol (PEAP)configuration for On-Demand Clients.


The on-demand dot1x peap fastreconn command uses the following syntax:

Enforcer# on-demand

Enforcer(on-demand)# dot1x peap fastreconn {enable|disable}

The following example describes how to validate a root server certificate for an802.1x Protected Extensible Authentication Protocol (PEAP) on the console of aGateway or a DHCP Enforcer appliance:

Enforcer# on-demand

Enforcer(on-demand)# dot1x peap fastreconn enable

where:

validate-svr enable sets the validation of a root server certificate for an 802.1xProtected Extensible Authentication Protocol (PEAP) configuration.

On-Demand dot1x peap show command

The On-Demand dot1x peap show command allows you to display the configurationsettings for an 802.1x Protected Extensible Authentication Protocol (PEAP)authentication for an On-Demand Client. Use this command to confirm that theactive protocol is PEAP.

You must be logged on the console of a Gateway or DHCP Enforcer as a superuserbefore you can execute this command.

The on-demand dot1x peap show command uses the following syntax:

show

The following example describes how to display the configuration settings for an802.1x Protected Extensible Authentication Protocol authentication on the consoleof a Gateway or DHCP Enforcer appliance:

Enforcer(peap)# show

PEAP Validate Server Certificate: DISABLED



PEAP Certificate Server: snac

PEAP Fast Reconnected: ENABLED

On-Demand dot1x tls commandThe On-Demand dot1x tls command allows you to configure the 802.1x transportlayer security (TLS) protocol for On-Demand Client sessions.

You must log on to the console of a Gateway or DHCP Enforcer as a superuserbefore you configure this command.

The on-demand dot1x tls command uses the following syntax:

on-demand dot1x tls {cert-svr | validate-svr | show}

The following example describes the syntax for the on-demand dot1x tls commandon the Gateway or DHCP Enforcer appliance console:

Enforcer# on-demand

Enforcer(on-demand)# dot1x tls

where:

tls specifies a Transport Layer Security (TLS) configuration for your On-DemandClient dot1x authentication protocol configuration.

On-Demand dot1x tls validate-svr command

The On-Demand dot1x tls validate-svr command enables or disables the validationof a root server certificate for an 802.1x transport layer security (TLS) protocolconfiguration.


The on-demand configure dot1x tls validate-svr command uses the followingsyntax:

Enforcer# on-demand


Enforcer(dot1x)# tls validate-svr [enable|disable]

The following example describes the syntax for the on-demand dot1x tlsvalidate-svr command on the console of a Gateway or DHCP Enforcer appliance:

Enforcer# on-demand

Enforcer(on-demand)# dot1x tls validate-svr enable

where:


284

validate-svr enable sets the validation of a root server certificate for an 802.1xtransport layer security (TLS) protocol configuration.

On-Demand dot1x tls cert-svr command

The On-Demand dot1x tls cert-svr command enables you to import and configurea root server certificate for an 802.1x transport layer security (TLS) protocol forOn-Demand Client authentication.

You must be logged on to the console of a Gateway or DHCP Enforcer as a superuserbefore you can execute this command.

The on-demand dot1x tls cert-svr command uses the following syntax:

Enforcer# on-demand

Enforcer(on-demand)# dot1x tls cert-svr

The following example describes the syntax for the on-demand dot1x tls certificatecommand on the console of a Gateway or DHCP Enforcer appliance console:

Enforcer# on-demand


Enforcer(dot1x)# tls

Enforcer(tls)# cert-svr host snac

Enforcer(tls)# cert-svr disable

Enforcer(tls)# cert-svr enable

where:

Disable TLS certificatedisable

Enable TLX certificateenable

Set TLS certificate server's hostnamehost

On-Demand dot1x tls show command

The On-Demand dot1x tls show command allows you to view configuration settingsfor an 802.1x transport layer security (TLS) protocol for On-Demand Clientauthentication. Use this command to make sure that the tls server certificate isenabled.

You must be logged on the console of a Gateway or DHCP Enforcer as a superuserbefore you configure this command.

The on-demand dot1x tls show command uses the following syntax:

Enforcer# on-demand

Enforcer(on-demand)# dot1x show [tls | peap]


The following example describes how to display the configuration settings for anan 802.1x transport layer security protocol authentication on the console of aGateway or DHCP Enforcer appliance:

Enforcer(tls)# show

TLS Validate Server Certificate: DISABLED

TLS Certificate Server: ENABLED

TLS Certificate Server: snac

On-Demand dot1x protocol commandThe On-Demand dot1x protocol command enables you to set the activeauthentication protocol to either Extensible Authentication Protocol (PEAP) orTransport Layer Security (TLS) protocol to authenticate On-Demand Clients withan 802.1x-aware switch that has dot1x-enabled ports.

You must be logged on to the console of a Gateway or DHCP Enforcer applianceas a superuser before you configure this command.

The on-demand dot1x protocol command uses the following syntax:

on-demand dot1x protocol [tls | peap]

The following example describes how to set the active authentication protocoltoExtensible Authentication Protocol (PEAP) to authenticate On-Demand Clientswith an 802.1x-aware switch that has dot1x-enabled ports:

Enforcer# on-demand


Enforcer(dot1x)# protocol peap

The following example describes how to set the active authentication protocol toTransport Layer Security (TLS) protocol to authenticate On-Demand Clients withan 802.1x-aware switch that has dot1x-enabled ports:

Enforcer# on-demand


Enforcer(dot1x)# protocol tls

On-Demand dot1x default-user commandThe On-Demand dot1x default-user command allows you to set the activeauthentication protocol as anonymous for On-Demand Client 802.1xauthentication.

You must be logged on the Gateway or DHCP Enforcer console as a superuserbefore you configure this command.


286

The on-demand configure dot1x default-user command uses the following syntax:

default-user username <string> password <string>

The following example describes the syntax for the on-demand dot1x anonymitycommand on the Gateway or DHCP Enforcer appliance console:

Enforcer(dot1x)# default-user username snac password snac

On-Demand dot1x show commandThe On-Demand dot1x show command allows you to view 802.1x authenticationsettings for On-Demand Client authentication.


The On-Demand dot1x show command uses the following syntax:

show protocol | peap | tls | certificate | default-user

where:

List imported authentication certificatescertificate

Show default user informationdefault-user

Show the PEAP authentication settingspeap

Show the current active 802.1x protocolprotocol

Show the TLS authentication settingstls

The following example describes how to display the protocol on the console of aGateway or DHCP Enforcer appliance:

Enforcer(dot1x)# show peap

PEAP Validate Server Certificate: DISABLED


PEAP Certificate Server: snac

PEAP Fast Reconnected: ENABLED

On-Demand show commandThe On-Demand show command allows you to display the configuration settingsfor On-Demand Clients.

You must be logged on the console of a Gateway or DHCP Enforcer as a superuserbefore you configure this command.


The on-demand show command uses the following syntax:

show [ banner | authentiction | dot1x | status | configuration ]

The following example describes the syntax for the on-demand show commandon the Gateway or DHCP Enforcer appliance console:

Enforcer(on-demand)# show

On-Demand: ENABLED

Policy Manager Connected: YES

Policy Manager Domain ID: BD751DAE0AC827F7015EFE3443254960

Client Group: My Company/My Group

Authentication: DISABLED

Local Database Authentication: DISABLED

Active Directory Authentication: DISABLED

Active Directory Domain ID: (NULL)

Active Protocol: TLS

Banner: (NULL)

On-Demand spm-domain commandYou must configure the spm-domain on a Gateway or DHCP Enforcer applianceconsole. Otherwise the installation fails. The spm-domain may be automaticallysent to a Symantec Endpoint Protection Manager. If you have installed version11.2 or later of a Symantec Endpoint Protection Manager, the spm-domain isautomatically sent to a Symantec Endpoint Protection Manager. You canautocomplete the spm-domain on the console of any Enforcer appliance.

Any version of a Symantec Endpoint Protection Manager that precedes 11.2 mustbe configured with the on-demand spm-domain command on a Gateway or DHCPEnforcer appliance console.

See “Enabling Symantec Network Access Control On-Demand clients to temporarilyconnect to a network ” on page 197.

The spm-domain appears in the Clients page on the Symantec Endpoint ProtectionManager Console.

See the Administration Guide for Symantec Endpoint Protection and SymantecNetwork Access Control on how to locate the spm-domain.

You must be logged on the console of a Gateway or DHCP Enforcer appliance asa superuser before you configure this command.



288

The on-demand spm-domain command uses the following syntax:

spm-domain {name <string> | id <string>}

The following example describes the syntax for the on-demand spm-domaincommand on the console of a Gateway or DHCP Enforcer appliance:

Enforcer# on-demand

Enforcer(on-demand)# spm-domain id BD751DAE0AC827F7015EFE3443254960

Enforcer(on-demand)# spm-domain name Default

where:

BD751DAE0AC827F7015EFE3443254960 represents the spm-domain that islocated in the Clients page on the console of the Symantec Endpoint ProtectionManager.

On-Demand mac-compliance commandsYou must configure the mac-compliance command on a Gateway or DHCP Enforcerappliance console. Additionally, you only need to execute the mac-hi commandif Symantec Network Access Control On-Demand client on a Macintosh platformneeds to be supported. Otherwise the installation fails.



The on-demand mac-compliance command uses the following syntax:

on-demand mac-compliance {disable| enable| interval| show}

where:

Disable compliance checking rules forSymantec Network Access ControlOn-demand Client for Mac

disable

Enable HI rules for Symantec NetworkAccess Control On-demand Client for Mac

enable

Set compliance checking interval (minutes)for Symantec Network Access ControlOn-demand Client for Mac

interval


Show compliance checking configuration forSymantec Network Access ControlOn-demand Client for Mac

show

Exit the Macintosh compliance settingexit

Clear the screenclear

Display Help for a commandhelp

On-demand mac-compliance disable commandThe on-demand mac-compliance disable command uses the following syntax:

on-demand mac-compliance disable <rule-number>

The following example describes the syntax for the on-demand mac-compliancedisable command on the console of a Gateway or DHCP Enforcer appliance:

Enforcer(mac-compliance)# disable 1

where the user may select any of the following rules by entering the number thatis associated with the rule, as shown in this example:

<Number> <State> <Description>

1 ENABLED Check system updated

2 ENABLED Check SAV installed

3 ENABLED Check SAV auto-protect started

4 ENABLED Check IP firewall started

5 ENABLED Check Norton confidential installed

6 ENABLED Check screen saver inactivity/lock

Note: The Check system updated command is optional. Host Integrity will passregardless of its state. The purpose of the command is to remind users to updatetheir systems.

On-demand mac-compliance enable commandThe on-demand mac-compliance enable command uses the following syntax:

on-demand mac-compliance disable <rule-number>

The following example describes the syntax for the on-demand mac-complianceenable command on the console of a Gateway or DHCP Enforcer appliance:

Enforcer(mac-compliance)# enable 1


290

where the user may select any of the following rules by entering the number thatis associated with that number, as shown in this example:

<Number> <State> <Description>

1 DISABLED Check system updated

2 DISABLED Check SAV installed

3 DISABLED Check SAV auto-protect started

4 DISABLED Check IP firewall started

5 DISABLED Check Norton confidential installed

6 DISABLED Check screen saver inactivity/lock

Note: The Check system updated command is optional. Host Integrity will passregardless of its state. The purpose of the command is to remind users to updatetheir systems.

On-demand mac-compliance interval commandThe on-demand mac-compliance interval command uses the following syntax:

on-demand mac-compliance interval <minutes>

where:

The user may set the compliance-checking interval in minutes for SymantecNetwork Access Control On-demand Client for Mac, in the range of 1-14398560minutes.

On-demand mac-compliance show commandThe on-demand mac-compliance show command uses the following syntax:

on-demand mac-compliance show { rules | interval}

The following example shows the on-demand mac-compliance show commandon the console of a Gateway or DHCP Enforcer appliance:

Enforcer(mac-compliance)# show rules

1 ENABLED Check system updated

2 ENABLED Check SAV installed

3 ENABLED Check SAV auto-protect started

4 ENABLED Check IP firewall started

5 ENABLED Check Norton confidential installed

6 ENABLED Check screen saver inactivity/lock


Enforcer(mac-compliance)# show interval

Interval: 3 (minutes)


292

Troubleshooting anEnforcer appliance


■ About troubleshooting an Enforcer appliance

■ General troubleshooting topics and known issues

■ About debug information transfer over the network

About troubleshooting an Enforcer applianceYou may need to troubleshoot communication problems with between Enforcersand the Symantec Endpoint Protection Manager.

See “Enforcement questions” on page 297.

Select any of the following topics:

■ Enforcer cannot register with the Symantec Endpoint Protection Manager

■ Delay in connecting to the network through an Enforcer

■ Gateway Enforcer appliance blocks clients

■ DHCP Enforcer appliance blocks clients

■ Same LAN Enforcer appliance registers twice on the Symantec EndpointProtection Manager Console

■ Client disconnected events in the LAN Enforcer appliance's Client Log

■ LAN Enforcer appliance does not switch clients to the correct VLAN

12Chapter

General troubleshooting topics and known issuesThe following topics are broader and may also provide help:

Table 12-1

SolutionSymptom

There is a 128-character limit to the size of passwords. Useanother password of shorter length.

Enforcer root password isshown as invalid when setusing the command-lineinterface

This is a hardware issue. The workaround is to disable NTPand then enable it.

Time synchronization failswhen installing a LANEnforcer with NTP enabledand configured on Dell 850

This is due to hard coding of the IRQs. Remove the additionalmemory or reinstall the Enforcer after the hardware change.Our tests have shown that additional memory does not makean appreciable difference.

Changing memory on theR200 causes hardware errors

This can appear on upgrade, but does not appear thereafter.Some settings (Debug Level,Capture) return to defaultwhen the Enforcer isupgraded

This can be resolved through configuring HP OpenView, asfollows:

■ Load the Symantec MIB file, using Option>Load/unloadMIB

■ Using Option > Event Configuration, chooseOnDemandTraps(.1.3.6.1.4.1.393.588), and modify eachtrap as required. For example on EventMessage, chooseLoganddisplayincategory. Then select a category fromthe drop-down list. Set the Event Log Message as $1.

Problems appear whenrunning SNMP with theEnforcer and HP OpenView

About debug information transfer over the networkWhen problems occur on the Enforcer appliance, a debug log is created on theEnforcer (kernel.log). If you need to transfer debug information over the network,use one of the following debug commands to transfer the debug logs:

To transfer one file to a tftp serverdebug upload

Troubleshooting an Enforcer applianceGeneral troubleshooting topics and known issues

294

File transfer over the network requires a serial connection between a computerand the Enforcer appliance.

The following example represents a file-transfer output that the HyperTerminalperforms:

<date> <Time> <File Name>

2008-08-01 16:32:26 user.log

2008-08-01 16:32:24 kernel.log

2008-08-01 14:30:03 ServerSylink[08-01-2008-14-30-03].xml

2008-08-01 14:29:59 ServerProfile[08-01-2008-14-29-59].xml

Enforcer(debug)# upload tftp 10.1.1.1 filename kernel.log

295Troubleshooting an Enforcer applianceAbout debug information transfer over the network

Troubleshooting an Enforcer applianceAbout debug information transfer over the network

296

Frequently asked questionsabout the Gateway, DHCP,or LAN Enforcer appliances


■ Enforcement questions

Enforcement questionsThe following issues provide answers about enforcement issues on the GatewayEnforcer appliance, DHCP Enforcer appliance, or LAN Enforcer appliance:

■ See “Which antivirus software provides support for host integrity?” on page 297.

■ See “Can Host Integrity policies be set at the group level or the global level?”on page 299.

■ See “Can you create a custom host integrity message?” on page 299.

■ See “What happens if Enforcer appliances cannot communicate with SymantecEndpoint Protection Managers?” on page 299.

■ See “Is a RADIUS server required when a LAN Enforcer appliance runs intransparent mode?” on page 300.

■ See “How does enforcement manage computers without clients?” on page 300.

Which antivirus software provides support for host integrity?Symantec Network Access Control supports the following antivirus software:

■ AVG Anti-Virus Free Edition 8.0

13Chapter

■ AVG Internet Security Edition 8.0

■ BitDefender Internet Security 2008

■ BitDefender Total Security 2008

■ CA Internet Security Suite Plus 2008

■ CA Personal Firewall 2008

■ eTrust EZ Antivirus 7.1.129

■ eTrust EZ Antivirus 7.014

■ Lavasoft Ad-Aware Pro 2008

■ McAfee Internet Security Suite 2008

■ McAfee VirusScan Professional 7.02

■ McAfee VirusScan Corp Edition 7.1.0

■ McAfee VirusScan Enterprise 8.0i

■ McAfee VirusScan Enterprise 8.5i

■ McAfee VirusScan Professional 8.0

■ McAfee VirusScan Home Edition 8.0

■ McAfee VirusScan Home Edition 9.0

■ McAfee VirusScanPlus 2008

■ Norton 360 All in One Security

■ Norton AntiVirus 2004



■ Norton AntiVirus 9.0

■ Norton Internet Security 2005




■ Panda Internet Security 2008

■ Panda Platinum Antivirus 7.0

■ Panda Security Panda Antivirus + Firewall 2008

■ Panda Titanium Antivirus 2004

Frequently asked questions about the Gateway, DHCP, or LAN Enforcer appliancesEnforcement questions

298

■ Sophos AntiVirus 3.87

■ Trend Micro Internet Security 2008

■ Trend Micro OfficeScan Corporate Edition 5.58

■ Trend Micro OfficeScan Corporate Edition 6.5

■ Trend Micro PC-cillin 2003

■ Trend Micro PC-cillin Internet Security 2004

■ Trend Micro Virus Buster 2008

■ Webroot Spy Sweeper 5.5

Can Host Integrity policies be set at the group level or the global level?You can assign Host Integrity policies by group and by location on the console ofthe Symantec Endpoint Protection Manager.

Can you create a custom host integrity message?Symantec Network Access Control can create custom Host Integrity messages foreach Host Integrity rule. You can customize the message, including the icon andthe title. You can perform this customization through a custom Host Integrityrule.

What happens if Enforcer appliances cannot communicate withSymantec Endpoint Protection Managers?

If you plan to use Enforcers with Symantec Endpoint Protection, we recommendthat you have redundant management servers. If the Symantec Endpoint ProtectionManager is unavailable, the Enforcer blocks the traffic from the clients.

Redundant management servers are preferable. The Enforcer sends a UDP packeton port 1812 by using the RADIUS protocol to the Symantec Endpoint ProtectionManager to verify the GUID from the clients. If a firewall blocks this port or if aSymantec Endpoint Protection Manager is unavailable, then the clients are blocked.

An option on the Enforcer allows client access to the network when the SymantecEndpoint Protection Manager is unavailable. If this option is enabled and theSymantec Endpoint Protection Manager is unavailable, the GUID check and theprofile checks are not performed. Only the Host Integrity check can be performedon the client when the Symantec Endpoint Protection Manager is unavailable.

You can use the advanced local-auth command to enable or disable the Enforcer’sauthentication of a client.

299Frequently asked questions about the Gateway, DHCP, or LAN Enforcer appliancesEnforcement questions

See “Advanced local-auth” on page 246.

Is a RADIUS server required when a LAN Enforcer appliance runs intransparent mode?

RADIUS server requirements depend on how the switch is configured and whatyou use the switch to authenticate.

The following are some items to watch out for:

■ Switches that use RADIUS servers for more than the authentication of 802.1xusers.For example, when you log on to the switch, you must type a user name andpassword. The RADIUS server typically performs authentication for this logon.When the LAN Enforcer appliance is installed, this authentication is sent tothe LAN Enforcer appliance. If the authentication is sent to the LAN Enforcerappliance, you must configure the RADIUS server IP address in the LANEnforcer appliance. You must configure the LAN Enforcer appliance to forwardall non-EAP requests directly to the RADIUS server.

■ Installation of a 802.1x supplicant on a client system. If an 802.1x supplicantexists on a client system, the LAN Enforcer appliance tries to authenticatewith the RADIUS server. 802.1x authentication is enabled by default onWindows XP. If you enable your client to work in transparent mode, it doesnot automatically disable the built-in 802.1x supplicant. You must make surethat no 802.1x supplicant runs on any of your client computers.

■ Configuration of the Enforcer to ignore the RADIUS request from any clientcomputer that includes a third-party 802.1x supplicant. You can set up thisconfiguration by using an IP address of 0.0.0.0 for the RADIUS server. You canuse this setup if you want to run a LAN Enforcer in transparent mode. Someclients can have an 802.1x supplicant. In this case, you can specify that theLAN Enforcer appliance does not send any traffic to a RADIUS server.

How does enforcement manage computers without clients?Symantec Network Access Control can enforce security policies only for thesystems that have Symantec clients installed. The security stance of other vendorscannot be enforced. Any enforcement by other vendors can disrupt the network.

The following enforcement methods are available:

Self enforcement by the client firewall has no effect onthe systems without clients in the network.

Self enforcement


300

In the networks that use gateway enforcement, thesystems without clients cannot pass through thegateway. Where you place the Gateway Enforcer in thenetwork is critical; it can block access to critical networkresources to which other systems require access.

You can make exceptions for trusted IP addresses sothat they can pass through the gateway inbound oroutbound without a client. Similarly, the gateway canalso exempt non-Microsoft operating systems fromenforcement. One network design could be to placenon-critical servers on the same side of the gateway.This configuration simplifies the network designwithout seriously compromising security.

Gateway enforcement

DHCP enforcement restricts the computers that are outof compliance or the systems without clients. It restrictsthese systems to a separate address space or providesthem with a subset of routes on the network. Thisrestriction reduces the network services for thesedevices. Similar to gateway enforcement, you can makeexceptions for trusted MAC addresses and non-Microsoftoperating systems.

DHCP enforcement

301Frequently asked questions about the Gateway, DHCP, or LAN Enforcer appliancesEnforcement questions

LAN enforcement uses the 802.1x protocol toauthenticate between the switch and the client systemsthat connect to the network. To use this method ofenforcement, the switch software must support the802.1x protocol and its configuration must be correct.802.1x supplicant software is also required if theadministrator wants to verify user identity as well hashost NAC status. The switch configuration must handlethe exceptions for systems without clients, rather thanany Symantec configuration.

You have several ways to set up this switchconfiguration. Methods vary depending on the type ofswitch and software version it runs. A typical methodimplements the concept of a guest VLAN. Systemswithout clients are assigned to a network that has alower level of network connectivity. Another methodinvolves basing the exceptions on MAC addresses.

You can disable 802.1x on selected ports. However, todisable by selected ports allows anyone to connect byusing the port, so it is not recommended. Many vendorshave special provisions for the VoIP phones that canautomatically move these devices to special voiceVLANs.

LAN enforcement

When you use the Universal Enforcement API, thethird-party vendor’s implementation of the API handlesthe exceptions.

Universal enforcement API

When you use the Symantec solution to interface withCisco NAC, the Cisco NAC architecture handles anyexclusions.

Enforcement by using Cisco NAC


302

Installing the Symantec NACIntegrated Enforcer forMicrosoft DHCP Servers

■ Chapter 14. Introducing the Symantec NAC Integrated Enforcer for MicrosoftDHCP Servers

■ Chapter 15. Planning for the installation of the Symantec NAC IntegratedEnforcer for Microsoft DHCP Servers

■ Chapter 16. Installing the Symantec NAC Integrated Enforcer for MicrosoftDHCP Servers

2Section

Introducing the SymantecNAC Integrated Enforcer forMicrosoft DHCP Servers


■ About the Symantec NAC Integrated Enforcer for Microsoft DHCP Servers

■ How an Integrated Enforcer for Microsoft DHCP Servers works

■ How to get started with the installation of an Integrated Enforcer for MicrosoftDHCP Servers

■ Where to find more information about related documentation for an IntegratedEnforcer for Microsoft DHCP Servers

About the Symantec NAC Integrated Enforcer forMicrosoft DHCP Servers

The Symantec NAC Integrated Enforcer for Microsoft DHCP Servers works inconcert with the Microsoft Windows Dynamic Host Configuration Protocol (DHCP)server. It ensures that the clients that try to connect to the network comply withconfigured security policies.

The Integrated Enforcer for Microsoft DHCP Servers works achieves security byintercepting and checking DHCP messages from each client that receives a dynamicIP address through the DHCP server. It then groups non-secure computers intoa quarantine class and provides non-secure computers with available, limitedresources for each established policy configuration.

14Chapter

How an Integrated Enforcer for Microsoft DHCPServers works

The Integrated Enforcer for Microsoft DHCP Servers checks for either SymantecEndpoint Protection or Symantec Network Access Control client installations onall the DHCP clients that the DHCP server manages. It then enforces policies forthose clients as configured on the Symantec Endpoint Security Manager.

The Integrated Enforcer for Microsoft DHCP Servers also authenticates the clientfor an agent existence, Globally Unique Identifier (GUID), Host Integrity, andprofile version for each configured policies. It then either allows or quarantinesthe client by using its authentication result.

The Integrated Enforcer for Microsoft DHCP Servers uses a plug-in to interactwith the Microsoft DHCP Server. Although the Integrated Enforcer for MicrosoftDHCP Servers and the DHCP Server must be installed on the same computer, theIntegrated Enforcer for Microsoft DHCP Servers is not dependent on the DHCPserver.

Note:Stopping the DHCP server does not stop the Integrated Enforcer for MicrosoftDHCP Servers. Stopping the Integrated Enforcer for Microsoft DHCP Servers doesnot stop the DHCP server. By having the Integrated Enforcer for Microsoft DHCPServers reside on the same computer as the DHCP Server, the Integrated Enforcerfor Microsoft DHCP Servers eliminates the need for additional hardware.

You use the Symantec Endpoint Protection Manager to configure the securitypolicies. However, the Integrated Enforcer for Microsoft DHCP Servers enforcesthe security policies.

The Integrated Enforcer for Microsoft DHCP Servers authenticates the clientcomputers by checking for the response regarding the following criteria:

■ Does the Symantec Endpoint Protection client or the Symantec Network AccessControl client run on a client computer?

■ Does the Symantec Endpoint Protection client or the Symantec Network AccessControl client have the correct Globally Unique Identifier (GUID)?The GUID is a 128-bit hexadecimal number that is assigned to a client computerthat runs the Symantec Endpoint Protection client or the Symantec NetworkAccess Control client. The management server generates a GUID when theclient is initially connected.

■ Does the client comply with the latest Host Integrity policy that theadministrator set up on the console of the Symantec Endpoint ProtectionManager?

Introducing the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersHow an Integrated Enforcer for Microsoft DHCP Servers works

306

■ The client received the latest security policy.

■ The client is trusted by a Network Access Control Scanner, has a trusted MAC,or is running a trusted operating system, if configured.

If the Integrated Enforcer for Microsoft DHCP Servers cannot authenticate theclient, access to a quarantined area with limited network resources is providedto the client. The quarantine area is configured on the same computer as theIntegrated Enforcer for Microsoft DHCP Servers and the Microsoft DHCP server.

You can also set up access to a remediation server. The remediation server providesclients with links to software that allows them to become security compliant.

How to get started with the installation of anIntegrated Enforcer for Microsoft DHCP Servers

The documentation describes how to install, configure, and use the IntegratedEnforcer for Microsoft DHCP Servers. Perform the following tasks to get started:

■ Review the components that are needed for the installation of an IntegratedEnforcer for Microsoft DHCP Servers.See “Required components for an Integrated Enforcer for Microsoft DHCPServers” on page 312.

■ Review the hardware requirements for an Integrated Enforcer for MicrosoftDHCP Servers.See “Hardware requirements for an Integrated Enforcer for Microsoft DHCPServers” on page 312.

■ Review the operating system requirements that for an Integrated Enforcer forMicrosoft DHCP Servers.See “Operating system requirements for an Integrated Enforcer for MicrosoftDHCP Servers” on page 313.

■ Where to place an Integrated Enforcer for Microsoft DHCP Servers in a networkenvironment.See “Planning for the placement of an Integrated Enforcer for Microsoft DHCPServers” on page 313.

■ Install an Integrated Enforcer for Microsoft DHCP Servers.See “Installing an Integrated Enforcer for Microsoft DHCP Servers” on page 316.

■ Configure the connections and settings of an Integrated Enforcer for MicrosoftDHCP Servers on an Enforcer console.See “About configuring the Symantec NAC Integrated Enforcer on an Enforcerconsole” on page 344.

307Introducing the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersHow to get started with the installation of an Integrated Enforcer for Microsoft DHCP Servers

Where to find more information about relateddocumentation for an Integrated Enforcer forMicrosoft DHCP Servers

The Symantec NAC Integrated Enforcer for Microsoft DHCP Servers is part of theSymantec Network Access Control software.

Table 14-1 provides the additional information about the tasks that you may needto perform before or after the installation of an Integrated Enforcer for MicrosoftDHCP Servers.

Table 14-1 Related documentation for an Integrated Enforcer for MicrosoftDHCP Servers

DescriptionTitle of document

Describes how to install the followingsoftware components:


■ Symantec Endpoint Protection client

■ Symantec Network Access Control client

It also explains how to install and configurethe embedded and Microsoft SQL database,as well as how to set up replication.

Installation Guide for Symantec EndpointProtection and Symantec Network AccessControl

Describes how to configure and administerthe following software components:




It also describes how to set up the HostIntegrity policies that an Enforcer uses toimplement compliance on client computers.

AdministrationGuide forSymantecEndpointProtection and Symantec Network AccessControl

Explains how to use the Symantec EndpointProtection Manager.

Online Help for Symantec EndpointProtection and Symantec Network AccessControl

Introducing the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersWhere to find more information about related documentation for an Integrated Enforcer for Microsoft DHCP Servers

308

Table 14-1 Related documentation for an Integrated Enforcer for MicrosoftDHCP Servers (continued)


Includes the latest information about thecritical Enforcer-related defects that mayalso affect the Symantec Endpoint ProtectionManager.

See the sep_ readme.txt file that is locatedon the installation CD called CD1 forinformation about defects regardingSymantec Endpoint Protection.

See the snac_readme that is located oninstallation CD called CD2 for informationabout defects regarding Symantec NetworkAccess Control.

sep_readme.txt and snac_readme.txt files

Describes how to use the following softwarecomponents:



Client Guide for Symantec EndpointProtection and Symantec Network AccessControl




Online Help for a Symantec EndpointProtection and a Symantec Network AccessControl client

Describes how to configure an IntegratedEnforcer for Microsoft DHCP Servers.

Online Help for an Integrated Enforcer forMicrosoft DHCP Servers

Describes how to configure an IntegratedEnforcer for Microsoft Network AccessProtection.

Online Help for an Integrated Enforcer forMicrosoft Network Access Protection (NAP)

309Introducing the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersWhere to find more information about related documentation for an Integrated Enforcer for Microsoft DHCP Servers

Introducing the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersWhere to find more information about related documentation for an Integrated Enforcer for Microsoft DHCP Servers

310

Planning for the installationof the Symantec NACIntegrated Enforcer forMicrosoft DHCP Servers


■ About planning for the installation of an Integrated Enforcer for MicrosoftDHCP Servers

■ Required components for an Integrated Enforcer for Microsoft DHCP Servers

■ Hardware requirements for an Integrated Enforcer for Microsoft DHCP Servers

■ Operating system requirements for an Integrated Enforcer for Microsoft DHCPServers

■ Planning for the placement of an Integrated Enforcer for Microsoft DHCPServers

About planning for the installation of an IntegratedEnforcer for Microsoft DHCP Servers

You must meet a number of requirements before the Symantec NAC IntegratedEnforcer for Microsoft DHCP Servers can become operational. The requirementsapply to both hardware and software, as well as other software components,including third-party applications.

15Chapter

The type of Enforcer that you can implement depends on the type of SymantecNetwork Access Control product that you purchased.


Required components for an Integrated Enforcer forMicrosoft DHCP Servers

The Integrated Enforcer for Microsoft DHCP Servers works with the MicrosoftDHCP server, the Symantec Endpoint Protection Manager, and the SymantecNetwork Access Control client. It verifies the clients that try to connect to thenetwork comply with configured security policies.

Install the following required components before you use the Integrated Enforcerfor Microsoft DHCP Servers:

Required component to create security policiesin a centralized location and assign them toclients.


Required component if you want end users to beprotected by the enforcement of security policiesthat the Integrated Enforcer for Microsoft DHCPServers provides.

Symantec Network Access Controlclient

Required component if you want end users to beprotected by the security policies that theIntegrated Enforcer for Microsoft DHCP Serversenforces.

Microsoft Windows DHCP Server

Required component to authenticate clients andenforce security policies.

Integrated Enforcer for Microsoft DHCPServers (installed on the samecomputer as the DHCP service)

Hardware requirements for an Integrated Enforcerfor Microsoft DHCP Servers

The Integrated Enforcer for Microsoft DHCP Servers includes RAM, processor,storage, monitor, network adapter, and network interface card hardwarerequirements.

For installations of up to 10,000 users, use the following recommendedrequirements:

■ Pentium III 750 MHz

Planning for the installation of the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersRequired components for an Integrated Enforcer for Microsoft DHCP Servers

312

■ 256-MB memory

■ 120-MB disk space

■ Fast ethernet network adapters

■ One network interface card (NIC) with TCP/IP installed

For installations of 10,000 users or greater, use the following recommendedrequirements:

■ Pentium 4 2.4 GHz

■ 512-MB memory


■ 1-GB network adapters

■ 800 x 600 resolution monitor with 256 colors (minimum)


Operating system requirements for an IntegratedEnforcer for Microsoft DHCP Servers

The Symantec Integrated Enforcer requires that one of the following operatingsystems be installed before you can install the Integrated Enforcer for MicrosoftDHCP Servers:

■ Windows Server 2000 Service Pack 4 with Microsoft DHCP server

■ Windows Server 2003 Service Pack with Microsoft DHCP server

■ Windows Server 2003 Service Pack 1 and Microsoft DHCP server

Planning for the placement of an Integrated Enforcerfor Microsoft DHCP Servers

Figure 15-1 illustrate how to place the Integrated Enforcer for Microsoft DHCPServers, the Microsoft DHCP Server, and the Symantec Endpoint ProtectionManager, as well as internal or remote clients in a network.

313Planning for the installation of the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersOperating system requirements for an Integrated Enforcer for Microsoft DHCP Servers

Figure 15-1 Placement of Symantec NAC Integrated Enforcer for Microsoft DHCPServers


Hub/Switch

DHCP Server withIntegrated Enforcer

Corporate Backbone

Clients

Relay Agent

ProtectedServers

Planning for the installation of the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersPlanning for the placement of an Integrated Enforcer for Microsoft DHCP Servers

314

Installing the SymantecNAC Integrated Enforcer forMicrosoft DHCP Servers


■ Before you install the Integrated Enforcer for Microsoft DHCP Servers

■ Installing an Integrated Enforcer for Microsoft DHCP Servers

■ Upgrading the integrated Enforcer for Microsoft DHCP Servers

Before you install the Integrated Enforcer forMicrosoft DHCP Servers

Before you begin to install the Symantec Integrated Enforcer, you must havecompleted the following installation and configuration tasks:

■ Installation of the Symantec Endpoint Protection Manager

Note: It is recommended that you install the Symantec Endpoint ProtectionManager before you install the Integrated Enforcer for Microsoft DHCP Servers.The Symantec Endpoint Protection Manager must be installed before theIntegrated Enforcer for Microsoft DHCP Servers can work properly.

See the Installation Guide for Symantec Enterprise Protection and SymantecNetwork Access Control for information on how to install the SymantecEndpoint Protection Manager.

16Chapter

■ Verification of system requirements for the computer on which you plan toinstall the DHCP Service and the Integrated Enforcer for Microsoft DHCPServersSee “Required components for an Integrated Enforcer for Microsoft DHCPServers” on page 312.

■ Installation of a Microsoft Windows 2000 Server or a Microsoft Windows 2003ServerSee the documentation that accompanies the Microsoft Windows Serverapplication.See “Required components for an Integrated Enforcer for Microsoft DHCPServers” on page 312.

■ Configuration of the DHCP Service on the Microsoft Windows 2000 Server ora Microsoft Windows 2003 ServerSee the DHCP Service documentation that accompanies the Microsoft WindowsServer application.

Installing an Integrated Enforcer for Microsoft DHCPServers

You must install an Integrated Enforcer for Microsoft DHCP Servers on the samecomputer on which you have already installed the Microsoft Windows serveroperating system along with the DHCP Service. You must log in as an administratoror a user in the administrators group.

Note: After installing the Microsoft DHCP Server, you must configure theIntegrated Enforcer for Microsoft DHCP Servers. The Integrated Enforcer forMicrosoft DHCP Servers can then connect to the Symantec Endpoint ProtectionManager.

You can install the Integrated Enforcer for Microsoft DHCP Servers by using anyof the following installation methods:

■ Installation WizardSee “To install the Integrated Enforcer for Microsoft DHCP Servers with aWizard” on page 317.

■ Command lineSee “To install the Integrated Enforcer for Microsoft DHCP Servers from thecommand line” on page 318.

Installing the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersInstalling an Integrated Enforcer for Microsoft DHCP Servers

316

To install the Integrated Enforcer for Microsoft DHCP Servers with a Wizard

1 Insert the installation CD2.

If the installation does not start automatically, double-clickIntegratedEnforcerInstaller.exe.

You must exit the installation and install the DHCP server if you see thefollowing message:

You must have the DHCP server on this machine

to install this product. To install the DHCP server,

in the Control Panel, use the Add/Remove Windows

Components Wizard.

If the DHCP server is already installed, the Welcome to Symantec IntegratedEnforcer Installation Wizard appears.

2 In the Welcome panel, click Next.

3 In the License Agreement panel, click I accept the license agreement.

4 Click Next.

5 In the Destination Folder panel, perform one of the following tasks:

■ If you want to accept the default destination folder, click Next.

■ Click Browse, locate and select a destination folder, click OK, and clickNext.

6 If the Role Selection panel appears, select DHCPEnforcement forMicrosoftDHCP Server and click Next.

The Role Selection panel only appears if more than one type of SymantecNAC Integrated Enforcer can be installed based on the services running onthe server.

7 In the Ready to Install the Application panel, click Next.

8 When asked whether you want to restart the DHCP server, perform one ofthe following tasks:

■ To restart the DHCP server immediately, click Yes.

■ To restart the DHCP server manually later, click No.If you restart the DHCP server later, you must stop and then start it.

You must restart the DHCP server or the Symantec Integrated Enforcer doesnot function.

317Installing the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersInstalling an Integrated Enforcer for Microsoft DHCP Servers

See “To stop and start the Microsoft DHCP Server manually” on page 319.

9 Click Finish.

If you need to reinstall the Integrated Enforcer, you must first uninstall it.

See “To uninstall the Integrated Enforcer for Microsoft DHCP Servers”on page 318.

See “To uninstall the Integrated Enforcer for Microsoft DHCP Servers fromthe command line” on page 319.

To install the Integrated Enforcer for Microsoft DHCP Servers from the commandline

1 To begin the command-line installation, open a DOS command prompI t.

The command-line installation process uses only default settings.

2 At the command line, specify the directory in which the Integrated EnforcerInstaller is located.

The install location defaults to C:\Program Files\Symantec\IntegratedEnforcer.

3 TypeIntegratedEnforcerInstaller.exe /qr at the command line and type:Enter.

To uninstall the Integrated Enforcer for Microsoft DHCP Servers

1 On the Windows taskbar, click Start > Control Panel > Add or RemovePrograms.

2 Click Symantec Integrated Enforcer, and then click Remove.

3 When asked whether you want to remove the software, click Yes.

4 When asked whether you want to restart the DHCP server, do one of thefollowing tasks:

■ To restart the DHCP server immediately, click Yes.

■ To restart the DHCP server manually later (the default), click No.If you restart the DHCP server later, you must stop and then start it.You must restart the DHCP server to completely uninstall the SymantecIntegrated Enforcer.

Installing the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersInstalling an Integrated Enforcer for Microsoft DHCP Servers

318

To uninstall the Integrated Enforcer forMicrosoft DHCPServers from the commandline

1 Open a DOS command prompt.

2 At the command prompt, type one of the following depending on the installedversion:

MsiExec.exe /qn /X

{C58BCCDF-A390-46CF-A328-323572E35735}

version 11.0.0000

misexec.exe /qn /X <filename >Tfilename should be under ProgramFiles\Common Files\Wise InstallationWizard.

version 11.0.1000 or higher

To stop and start the Microsoft DHCP Server manually

1 On the Windows taskbar, click Start>ControlPanel>AdministrativeTools> Services.

2 Click DHCP Server.

3 Right-click, and then click Stop.

4 Click Start.

Upgrading the integratedEnforcer forMicrosoftDHCPServers

The following tasks detail how to upgrade to a Symantec NAC Integrated Enforcer:

319Installing the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersUpgrading the integrated Enforcer for Microsoft DHCP Servers

To upgrade your Symantec NAC Integrated Enforcer

1 Uninstall the existing version of the Integrated Enforcer.

See “To uninstall the Integrated Enforcer for Microsoft DHCP Servers”on page 318.

See “To uninstall the Integrated Enforcer for Microsoft DHCP Servers fromthe command line” on page 319.

Note: Make sure you restart the DHCP service before you install the newversion of the Integrated Enforcer.

2 Install the new version of the Integrated Enforcer.

See “To install the Integrated Enforcer for Microsoft DHCP Servers with aWizard” on page 317.

See “To install the Integrated Enforcer for Microsoft DHCP Servers from thecommand line” on page 318.

Installing the Symantec NAC Integrated Enforcer for Microsoft DHCP ServersUpgrading the integrated Enforcer for Microsoft DHCP Servers

320

Installing the Symantec NACIntegrated Enforcer forAlcatel-Lucent VitalQIP DHCPServers (Integrated LucentEnforcer)

■ Chapter 17. Introducing the Symantec NAC Integrated Lucent Enforcer

■ Chapter 18. Planning for the installation of the Symantec NAC IntegratedLucent Enforcer

■ Chapter 19. Installing the Symantec NAC Integrated Lucent Enforcer

3Section

Introducing the SymantecNAC Integrated LucentEnforcer


■ About the Integrated Enforcer for Alcatel-Lucent VitalQIP DHCP Servers(Integrated Lucent Enforcer)

■ What you can do with the Integrated Lucent Enforcer

■ How the Integrated Lucent Enforcer works

■ Where to find more information about related documentation for an IntegratedLucent Enforcer

About the Integrated Enforcer for Alcatel-LucentVitalQIP DHCP Servers (Integrated Lucent Enforcer)

The Integrated Lucent Enforcer works with the Lucent VitalQIP DHCP Server,version 6.2.

The Integrated Lucent Enforcer and the Symantec Endpoint Protection Managerensure that the following applications comply with configured security policies:



The Integrated Lucent Enforcer verifies the compliance of client computers withthe security policies that the administrator configures. It achieves security byintercepting and checking DHCP messages from each client that receives a dynamic

17Chapter

IP address through the Lucent VitalQIP Enterprise DHCP Server. The IntegratedLucent Enforcer then groups non-secure computers into a quarantine class. Italso provides non-secure computers with available but limited resources for eachestablished security policy.

What you can dowith the Integrated Lucent EnforcerYou can perform the following key tasks on the Integrated Lucent Enforcer console:

■ Configure a connection to a Symantec Endpoint Protection Server.

■ Start and stop the Enforcer service.

■ Configure connections to Network Access Control Scanners.

■ Configure automatic quarantines.

■ View the connection status.

■ View the Client log and the System log.

■ View DHCP trusted vendors.

How the Integrated Lucent Enforcer worksThe Integrated Lucent Enforcer checks on a client computer for the presence ofSymantec Endpoint Protection and Symantec Network Access Control clients thatthe Lucent VitalQIP Enterprise DHCP Server manages. The Integrated LucentEnforcer then enforces policies for those clients as configured on the SymantecEndpoint Protection Manager, the so-called management server.

The Integrated Lucent Enforcer authenticates the client computers by checkingfor the response regarding the following criteria:

■ Does the Symantec Endpoint Protection client or the Symantec Network AccessControl client run on a client computer?

■ Does the Symantec Endpoint Protection client or the Symantec Network AccessControl client have the correct Globally Unique Identifier (GUID)?The GUID is a 128-bit hexadecimal number that is assigned to a client computerthat runs the Symantec Endpoint Protection client or the Symantec NetworkAccess Control client. The management server generates a GUID when theclient is initially installed.

■ Host Integrity (HI) policyA Host Integrity policy ensures that the client computer runs the requiredapplications and data files when the client computer tries to connect to thenetwork.

Introducing the Symantec NAC Integrated Lucent EnforcerWhat you can do with the Integrated Lucent Enforcer

324

■ The profile serial number that is based on the latest configured security policies,including the latest Host Integrity policy.The Integrated Lucent Enforcer verifies that the client computer has receivedthe latest security policies from the management server. If the profile serialnumber does not match, then the Integrated Lucent Enforcer notifies the clientcomputer to update its security policies.

Note: The Integrated Lucent Enforcer uses a plug-in to interact with a LucentVitalQIP Enterprise DHCP Server. The Integrated Lucent Enforcer is dependenton the Lucent VitalQIP Enterprise DHCP Server. If the LucentVitalQIP EnterpriseDHCP Server is not present, the Integrated Lucent Enforcer cannot be installed.

If you stop the Lucent VitalQIP Enterprise DHCP Server, the Integrated LucentEnforcer continues to operate. If you stop the Integrated Lucent Enforcer, theLucent VitalQIP Enterprise DHCP Server continues to operate. By having theIntegrated Lucent Enforcer and the Lucent VitalQIP Enterprise DHCP Serverinstalled on the same computer, the need for additional hardware is eliminated.

You use the management server to configure the security policies that theIntegrated Lucent Enforcer enforces. Before the Integrated Lucent Enforcer enablesa client to connect to a network, it authenticates the client by verifying thefollowing conditions:

■ The client computer must have installed and run the Symantec EndpointProtection client or the Symantec Network Access Control client.

■ The client has the correct GUID.

■ The client complies with the latest default Host Integrity policies or yourcustom Host Integrity policy.

■ The client received the latest security policy.

■ The client is trusted by a Network Access Control Scanner, has a trusted MAC,or is running a trusted operating system, if configured.

If the Integrated Lucent Enforcer cannot authenticate the client, access to aquarantined area with limited network resources is provided to the client. Thequarantine area is configured on the same computer as the Integrated LucentEnforcer and the Lucent VitalQIP Enterprise DHCP Server.

You can also set up access to a remediation server. The remediation server providesclients with links to software that allows them to become security compliant.

325Introducing the Symantec NAC Integrated Lucent EnforcerHow the Integrated Lucent Enforcer works

Where to find more information about relateddocumentation for an Integrated Lucent Enforcer

The Integrated Lucent Enforcer is part of the Symantec Network Access Controlsoftware.

Table 17-1 provides the additional information about the tasks that you may needto perform before or after the installation of an Integrated Lucent Enforcer.

Table 17-1 Related documentation for an Integrated Lucent Enforcer


Describes how to install the following softwarecomponents:




It also explains how to install and configure theembedded and Microsoft SQL database, as well ashow to set up replication.

Installation Guide for SymantecEndpoint Protection and SymantecNetwork Access Control

Describes how to configure and administer thefollowing software components:




It also describes how to set up the Host Integritypolicies that an Enforcer uses to implementcompliance on client computers.

Administration Guide for SymantecEndpoint Protection and SymantecNetwork Access Control

Explains how to use the Symantec EndpointProtection Manager.

Online Help for Symantec EndpointProtection and Symantec NetworkAccess Control

Includes the latest information about the criticalEnforcer-related defects that may also affect theSymantec Endpoint Protection Manager.

See the readme.txt file that is located on theinstallation CD called CD1 for information aboutdefects regarding Symantec Endpoint Protection.

See readme that is located on installation CDcalled CD2 for information about defectsregarding Symantec Network Access Control.

readme.txt files

Introducing the Symantec NAC Integrated Lucent EnforcerWhere to find more information about related documentation for an Integrated Lucent Enforcer

326

Table 17-1 Related documentation for an Integrated Lucent Enforcer (continued)





Client Guide for Symantec EndpointProtection and Symantec NetworkAccess Control




Online Help for a Symantec EndpointProtection and a Symantec NetworkAccess Control client

Describes how to configure an Integrated LucentEnforcer.

Online Help for an Integrated LucentEnforcer

Describes how to configure an Integrated Enforcerfor Microsoft DHCP Servers.

Online Help for an Integrated Enforcerfor Microsoft DHCP Servers

Describes how to configure an Integrated Enforcerfor Microsoft Network Access Protection.

Online Help for an Integrated Enforcerfor Microsoft Network AccessProtection (NAP)

327Introducing the Symantec NAC Integrated Lucent EnforcerWhere to find more information about related documentation for an Integrated Lucent Enforcer

Introducing the Symantec NAC Integrated Lucent EnforcerWhere to find more information about related documentation for an Integrated Lucent Enforcer

328

Planning for the installationof the Symantec NACIntegrated Lucent Enforcer


■ About planning for the installation of an Integrated Lucent Enforcer

■ Required components for an Integrated Lucent Enforcer

■ Planning for the placement of an Integrated Lucent Enforcer

■ Hardware requirements for an Integrated Lucent Enforcer

■ Operating system requirements for an Integrated Lucent Enforcer

About planning for the installation of an IntegratedLucent Enforcer

You must meet a number of requirements before the Integrated Lucent Enforcercan become operational. The requirements apply to both hardware and software,as well as other software components, including third-party applications.



18Chapter

Required components for an Integrated LucentEnforcer

You must have already installed and configured the following components beforeyou can install the Symantec Integrated Lucent Enforcer:

■ Lucent VitalQIP Enterprise DHCP 6.2 ServerSee the accompanying Lucent VitalQIP Enterprise DHCP 6.2 Serverdocumentation for information on how to install and configure the LucentVitalQIP Enterprise DHCP 6.2 Server.

■ Sybase Adaptive Server Enterprise Suite 12.5.2See the accompanying Sybase documentation for information on how to installand configure the Sybase database.

■ Symantec Endpoint Protection Manager, version 11.0.3See the Installation Guide for Symantec Endpoint Protection and SymantecNetwork Access Control for information on how to install the SymantecEndpoint Protection Manager.

■ Symantec Network Access Control clients, version 11.0.3See the Installation Guide for Symantec Endpoint Protection and SymantecNetworkAccessControl for information on how to install the Symantec NetworkAccess Control clients.See theAdministrationGuide for Symantec Endpoint Protection and SymantecNetworkAccessControl for information on how to upgrade Symantec NetworkAccess Control clients.

■ See the Client Guide for Symantec Endpoint Protection and Symantec NetworkAccess Control for information on how to use the Symantec Network AccessControl client.

Table 18-1 must be installed before you can successfully protect any clients.

Table 18-1 Required components for the Symantec NAC Integrated LucentEnforcer

Function of componentName of component

The Symantec Endpoint Protection Manager isrequired to create security policies in a centralizedlocation and assign them to Symantec NetworkAccess Control clients.

Symantec Endpoint ProtectionManager, version 11.0.3

Planning for the installation of the Symantec NAC Integrated Lucent EnforcerRequired components for an Integrated Lucent Enforcer

330

Table 18-1 Required components for the Symantec NAC Integrated LucentEnforcer (continued)

Function of componentName of component

The Symantec clients are required to be installedand deployed on the client computers before thesecurity policies can protect them. You configurethe Host Integrity policies on the SymantecEndpoint Protection Manager .

Symantec Network Access Controlclient, version 11.0.3

This Sybase suite is required.Sybase Adaptive Server EnterpriseSuite 12.5.2

The Lucent VitalQIP Enterprise DHCP 6.2 Serveris required for the assignments of DHCP leasesand IP addresses.

Lucent VitalQIP Enterprise DHCP 6.2Server

The Symantec NAC Integrated Lucent Enforceris required to authenticate a client's credentialsand to enforce a client's compliance with asecurity policy.

Symantec NAC Integrated LucentEnforcer

Planning for the placement of an Integrated LucentEnforcer

Figure 18-1 illustrate how to place the Integrated Lucent Enforcer, the LucentVitalQIP Enterprise DHCP 6.2 Server, and the Symantec Endpoint ProtectionManager, as well as internal or remote clients in a network.

331Planning for the installation of the Symantec NAC Integrated Lucent EnforcerPlanning for the placement of an Integrated Lucent Enforcer

Figure 18-1 Placement of Integrated Enforcer for Alcatel-Lucent VitalQIP Serverswith a Lucent VitalQIP Enterprise DHCP 6.2 Server


Hub/Switch

DHCP Server withIntegrated Enforcer

Corporate Backbone

Clients

Relay Agent

ProtectedServers

Planning for the installation of the Symantec NAC Integrated Lucent EnforcerPlanning for the placement of an Integrated Lucent Enforcer

332

Hardware requirements for an Integrated LucentEnforcer

The Integrated Lucent Enforcer includes RAM, processor, storage, monitor,network adapter, and network interface card hardware requirements.



■ 256-MB memory






■ 512-MB memory





Operating system requirements for an IntegratedLucent Enforcer

Before you can install the Integrated Lucent Enforcer on the same computer asthe Lucent VitalQIP Enterprise DHCP 6.2 Server, you must install one of thefollowing operating systems:

■ Windows 2000 Advanced Server with Service Pack 4 and Lucent VitalQIPEnterprise DHCP 6.2 Server or later

■ 32-bit Windows Server 2003 Standard Edition and Lucent VitalQIP EnterpriseDHCP 6.2 Server or later

■ 32-bit Windows Server 2003 Standard Edition with Service Pack 1 and LucentVitalQIP Enterprise DHCP 6.2 Server or later

333Planning for the installation of the Symantec NAC Integrated Lucent EnforcerHardware requirements for an Integrated Lucent Enforcer

■ 32-bit Windows Server 2003 Standard Edition with Service Pack 2 and LucentVitalQIP Enterprise DHCP 6.2 Server or later

■ 32-bit Windows Server 2003 Advanced Edition and Lucent VitalQIP EnterpriseDHCP 6.2 Server or later

■ 32-bit Windows Server 2003 Advanced Edition with Service Pack 1 and LucentVitalQIP Enterprise DHCP 6.2 Server or later

■ 32-bit Windows Server 2003 Advanced Edition with Service Pack 2 and LucentVitalQIP Enterprise DHCP 6.2 Server or later

Planning for the installation of the Symantec NAC Integrated Lucent EnforcerOperating system requirements for an Integrated Lucent Enforcer

334

Installing the SymantecNAC Integrated LucentEnforcer


■ Before you install the Integrated Lucent Enforcer

■ Installing an Integrated Lucent Enforcer

■ Uninstalling an Integrated Lucent Enforcer

■ Stopping and starting the Lucent VitalQIP Enterprise DHCP Server

Before you install the Integrated Lucent EnforcerBefore you begin to install the Integrated Lucent Enforcer, you must havecompleted the following tasks:

■ Completed the installation of Symantec Network Access Control that includesthe Symantec Endpoint Protection Manager

Note: The Symantec Endpoint Protection Manager must be installed beforethe Integrated Lucent Enforcer can work properly.

See the Installation Guide for Symantec Enterprise Protection and SymantecNetwork Access Control for information on how to install the SymantecEndpoint Protection Manager.

■ Completed the configuration, deployment, and installation of the SymantecNetwork Access Control client

19Chapter

See the Installation Guide for Symantec Enterprise Protection and SymantecNetworkAccessControl for information for more information on how to installthe Symantec Network Access Control client.

■ Verified the system requirements for the computer on which you plan to installthe following components:

■ Sybase database

■ Lucent VitalQIP Enterprise DHCP Server

■ Integrated Lucent Enforcer

See the documentation that accompanies the Sybase database for moreinformation on how to install and configure the database.See the documentation that accompanies the Lucent VitalQIP Enterprise DHCPServer for more information on how to install and configure the DHCP service.

Installing an Integrated Lucent EnforcerYou must install the Integrated Lucent Enforcer on the same computer on whichyou have already installed the following software:

■ Microsoft Windows server operating system

■ Sybase database

■ Lucent VitalQIP Enterprise DHCP 6.2 Server

You must log in as an administrator or as a user in the administrators group.

Note:After you completed the installation of the Integrated Lucent Enforcer, youmust configure it. The Integrated Lucent Enforcer must be able to establish aconnection to the Symantec Endpoint Protection Manager that is also known asthe management server.

You can install the Integrated Lucent Enforcer by using any of the followinginstallation methods:

■ Installation Wizard

■ Command line

Installing the Symantec NAC Integrated Lucent EnforcerInstalling an Integrated Lucent Enforcer

336

To install an Integrated Lucent Enforcer with a Wizard

1 Insert the installation CD that is labeled CD2.

If the installation does not start automatically, double-clickIntegratedEnforcerInstaller.exe.

2 If the Lucent VitalQIP Enterprise DHCP Server is already installed, in theWelcome panel of the Symantec Integrated Lucent Enforcer InstallationWizard, click Next.


4 Click Next.


■ If you want to accept the default destination folder, click Next.

■ Click Browse, locate and select a destination folder, click OK, and clickNext.

6 If the Role Selection panel appears, select DHCP Enforcement forAlcatel-Lucent VitalQIP® DHCP Server and click Next.



8 When asked whether you want to restart the Lucent VitalQIP EnterpriseDHCP Server, perform one of the following tasks:

■ To restart the Lucent VitalQIP Enterprise DHCP Server immediately, clickYes.

■ To restart the Lucent VitalQIP Enterprise DHCP Server manually later,click No.If you restart the Lucent VitalQIP Enterprise DHCP Server later, you muststop and then start it.

You must restart the Lucent VitalQIP Enterprise DHCP Server or theIntegrated Lucent Enforcer does not function.

See “Stopping and starting the Lucent VitalQIP Enterprise DHCP Server”on page 339.

9 Click Finish.

If you need to reinstall the Integrated Lucent Enforcer, you must first uninstallit.

See “Uninstalling an Integrated Lucent Enforcer” on page 338.

337Installing the Symantec NAC Integrated Lucent EnforcerInstalling an Integrated Lucent Enforcer

To install an Integrated Lucent Enforcer from the command line

1 To begin the command-line installation, open a DOS command prompt.

The command-line installation process uses only default settings.

2 At the command line, specify the directory in which the Integrated LucentEnforcer Installer is located.

The install location defaults to C:\Program Files\Symantec\IntegratedEnforcer.

3 TypeIntegratedEnforcerInstaller.exe /qrat the command line and pressEnter.

Uninstalling an Integrated Lucent EnforcerYou may need to uninstall the Integrated Lucent Enforcer at times. You canuninstall the Integrated Lucent Enforcer by using the utility in the Control Panelor from the command line.

To uninstall an Integrated Lucent Enforcer




4 When asked whether you want to restart the Lucent VitalQIP EnterpriseDHCP Server, perform one of the following tasks:

■ To restart the Lucent VitalQIP Enterprise DHCP Server immediately, clickYes.

■ To restart the Lucent VitalQIP Enterprise DHCP Server manually later(the default), click No.If you restart the Lucent VitalQIP Enterprise DHCP Server later, you muststop and then start it.You must restart the Lucent VitalQIP Enterprise DHCP Server tocompletely uninstall the Integrated Lucent Enforcer.

To uninstall an Integrated Lucent Enforcer


2 At the command prompt, type: MsiExec.exe /qn

/X{A145EB45-0852-4E18-A9DC-9983A6AF2329}

Installing the Symantec NAC Integrated Lucent EnforcerUninstalling an Integrated Lucent Enforcer

338

Stopping and starting the Lucent VitalQIP EnterpriseDHCP Server

You may need to stop and start the Lucent VitalQIP Enterprise DHCP Server attimes.

To stop and start the Lucent VitalQIP Enterprise DHCP Server


2 Click Lucent DHCP Service.


4 Click Start.

339Installing the Symantec NAC Integrated Lucent EnforcerStopping and starting the Lucent VitalQIP Enterprise DHCP Server

Installing the Symantec NAC Integrated Lucent EnforcerStopping and starting the Lucent VitalQIP Enterprise DHCP Server

340

Configuring Symantec NACIntegrated Enforcers on theEnforcer console

■ Chapter 20. Configuring the Symantec NAC Integrated Enforcers on theEnforcer console

4Section

Configuring the SymantecNAC Integrated Enforcerson the Enforcer console


■ About configuring the Symantec NAC Integrated Enforcer on an Enforcerconsole

■ Establishing or changing communication between a Symantec NAC IntegratedEnforcer and Symantec Endpoint Protection Manager servers

■ Configuring automatic quarantine

■ Configuring Symantec NAC Integrated Enforcer basic settings

■ Editing a Symantec Endpoint Protection Manager connection

■ Configuring a trusted vendor list

■ Viewing Enforcer logs on an Enforcer console

■ Configuring logs for the Symantec NAC Integrated Enforcer

■ Configuring Symantec NAC Integrated Enforcer authentication settings

■ Establishing communication between a Symantec NAC Integrated Enforcerand a Network Access Control Scanner on an Enforcer console

■ Configuring Symantec NAC Integrated Enforcer advanced settings

■ Stopping and starting communication services between an Integrated Enforcerand a management server

20Chapter

■ Disconnecting an Integrated Lucent Enforcer from a management server onan Enforcer console

■ Configuring a secure subnet mask

About configuring the Symantec NAC IntegratedEnforcer on an Enforcer console

After you complete the installation of a Symantec NAC Integrated Enforcer, thereare two stages of configuration. First, configure the settings on the IntegratedEnforcer console. Secondly, move to the Symantec management console of theSymantec Endpoint Protection Manager to make any desired changes to theconfiguration settings for the group that the Integrated Enforcer is part of. Thesetasks are outlined below.

■ On the Enforcer console of an Integrated Enforcer for Microsoft DHCP Servers,establish communication between the Integrated Enforcer and a managementserver.See “Establishing or changing communication between a Symantec NACIntegrated Enforcer and Symantec Endpoint Protection Manager servers ”on page 344.On the management console of a Symantec Endpoint Protection Manager,configure the Symantec NAC Integrated Enforcer configuration settings.

■ Set up the DHCP server with a quarantine configuration.You must configure a quarantine user class and add resources to the quarantineclass for each subnet. Alternatively, you can use the Integrated EnforcerAutomatic Quarantine Configuration option. This option allows the IntegratedEnforcer for Microsoft DHCP Servers to configure user class and resources,but only if there is no quarantine class configured previously.See “Configuring automatic quarantine” on page 347.

■ If you did not restart the DHCP service on the DHCP server when you installedthe Integrated Enforcer, stop and start it manually now.

Establishing or changing communication between aSymantec NAC Integrated Enforcer and SymantecEndpoint Protection Manager servers

You must specify one or more Symantec Endpoint Protection Managers to whichthe Integrated Enforcer can connect. After you set up the management server list,you must configure the connection with the encrypted password, group name,

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleAbout configuring the Symantec NAC Integrated Enforcer on an Enforcer console

344

and communication protocol. The encrypted password was previously known asa preshared key.

After the Integrated Enforcer connects to a management server, it registers itselfautomatically.

See the Administration Guide for Symantec Endpoint Protection and SymantecNetwork Access Control for more information about management server lists.

To establish communication between an Integrated Enforcer and a SymantecEndpoint Protection Manager server from the Symantec NAC Integrated Enforcerconsole

1 On the Windows taskbar of the Integrated Enforcer computer, click Start >Programs > Symantec Endpoint Protection > Symantec NAC IntegratedEnforcer.

The Symantec NAC Integrated Enforcer configuration console appears. Thismain page shows the connection status between the Integrated Enforcer andthe Symantec Endpoint Protection Manager. A green light indicates thatIntegrated Enforcer is actively connected to the management server. A redlight indicates that the connection is disabled.

2 In the left-hand panel, click Symantec Integrated Enforcer > Configure >Management Servers.

3 In the ManagementServers panel, click Add in the icon column that is locatedat the right of the management servers list.

4 In the Add/Edit Management Server dialog box, type the IP address or nameof the Symantec Endpoint Protection Manager in the Server address textfield.

You can type an IP address, host name, or domain name. If you want to usea host name or a domain name ensure that the name will be resolved correctlyby the domain name server (DNS server).

5 In the Add/Edit Management Server dialog box, edit the port number thatthe Integrated Enforcer uses to communicate with the Symantec EndpointProtection Manager.

The default port number is 8014 for HTTP protocol and 443 for the HTTPSprotocol. The HTTPS protocol must be configured identically on the SymantecEndpoint Protection Manager and Integrated Enforcer.

6 Click OK.

345Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleEstablishing or changing communication between a Symantec NAC Integrated Enforcer and Symantec Endpoint

Protection Manager servers

7 Click either the Move up arrow or Move down arrow from the icon columnthat is located to the right of the management servers list to optionally changethe order of the management servers that the Symantec NAC IntegratedEnforcer uses to connect to a Symantec Endpoint Protection Manager.

The first time the Symantec NAC Integrated Enforcer connects to SymantecEndpoint Protection Manager, it tries to connect to the first server that islisted in the management server list. If the management server is not available,the Symantec NAC Integrated Enforcer connects to the next managementserver that appears in the management server list.

8 In the Encrypted password text box, type the password of the SymantecEndpoint Protection Manager you are connecting to.

The Symantec Endpoint Protection Manager and Integrated Enforcer mustuse the same encrypted password for communication.

To display the letters and numbers of the preshared key instead of asterisks,check Unmask.

9 In the Preferred group text box, type a name for the Integrated Enforcergroup.

If you do not specify a group name, the Symantec Endpoint ProtectionManager assigns the Symantec NAC Integrated Enforcer to a default Enforcergroup with default settings. The default group name is I-DHCP. However, aSymantec NAC Integrated Enforcer for Microsoft NAP Servers andappliance-based enforcers must each be in a separate group.

You can view the group settings from the Symantec Endpoint ProtectionManager Console on the View Servers page.

10 To specify the protocol that the Symantec NAC Integrated Enforcer uses tocommunicate with the Symantec Endpoint Protection Manager, select HTTPor HTTPS.

You can only use the HTTPS protocol if the Symantec Endpoint ProtectionManager is running Secure Sockets Layer (SSL).

If you select HTTPS and want to require verification of the Symantec EndpointProtection Manager’s certificate with a trusted third-party certificateauthority, check Verify certificate when using HTTPs protocol.

11 Click Save.

After the Integrated Enforcer connects to the Symantec Endpoint ProtectionManager, you can change most of the configuration settings on the SymantecEndpoint Protection Manager Console. However, the preshared secret orencrypted password must be the same on the Integrated Enforcer and theSymantec Endpoint Protection Manager in order for them to communicate.

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleEstablishing or changing communication between a Symantec NAC Integrated Enforcer and Symantec EndpointProtection Manager servers

346

Configuring automatic quarantineThe clients that try to connect to the network send a DHCP request to the DHCPserver.

Either the Symantec NAC Integrated Enforcer can perform the quarantineconfiguration based on allowed IP addresses or you can configure a quarantineuser class and add resources to it for each subnet from inside the DHCP server.The Integrated Enforcer appends the quarantine user class to all DHCP messagesthat come from non-compliant or unknown clients. It also renews the requestsfrom the client to the DHCP server. Clients that are trusted are immediatelyassigned a normal IP address and are not quarantined. Unknown or untrustedclients are quarantined, authenticated, renewed if authentication succeeds, andthen assigned a normal IP address.

Access is based on the host integrity policy and group settings that are definedin the Symantec Endpoint Protection Manager.

Enter a list of IP addresses that you want to allow quarantined computers to access,even if authentication fails.

To configure automatic quarantine for a Symantec NAC Integrated Enforcer


2 In the left-hand panel, click Symantec Integrated Enforcer > Configure >Automatic Quarantine Configuration.

3 In the Automatic Quarantine Configuration page of the Integrated Enforcer,click Add to begin creating an IP address list.

4 Enter an allowed IP address and click OK to add the IP address to the list.

5 Click Add again to continue adding IP addresses to the list.

6 Modify the IP Address list by clicking Edit, Remove, Remove all, Move Up,or Move down.

7 When all IP Addresses are listed or modified, click OK at the bottom of thepage to save your configurations.

347Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring automatic quarantine

To set up a quarantine configuration on a DHCP server (advanced optional task)

1 On the DHCP server, click Start > Administrative Tools > DCHP.

To renew the request with a quarantine configuration, the Integrated Enforcerdynamically appends a quarantine DHCP user class to the DHCP messagesthat come from the non-compliant clients. You define the quarantine userclass by adding an ID called: SYGATE_ENF. Then you assign the user classvarious resources, which includes a gateway IP address, lease time, a DNSserver, and enough static routes for remediation.

2 In the tree of the DHCP dialog box, right-click the DHCP server, and clickDefine User Classes.

3 In the DHCP User Classes dialog box, click Add.

4 In the New Class dialog box, type a display name that identifies this quarantineuser class as the quarantine configuration, and an optional description.

For example, you can identify a quarantine user class, such as QUARANTINE.

5 To define a new user class, click the ASCII column and type SYGATE_ENFin uppercase letters.

6 Click OK.

7 Click Close.

To configure scope options on a DHCP server (advanced optional task)

1 In the tree, right-click Server Options.

2 Click Configure Options....

3 On the General tab, check 003 Router and configure the IP address of therouter that is associated with the DHCP relay client.

4 On the Advanced tab, in the Vendor class drop-down list, click DHCPStandardOptions.

5 On the Advanced tab, in the User class drop-down list, click QUARANTINE.

6 Check 003 Router.

7 In the IP address field, type 127.0.0.1 (recommended). However, it is up tothe administrator to decide which router IP, if any, to assign to quarantinedclients.

8 Check 051 Lease.

9 Type the hexadecimal value of the lease time in seconds.

For example, for 2 minutes, type 0x78.

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring automatic quarantine

348

10 Click OK.

11 Click File > Exit.

Configuring SymantecNAC Integrated Enforcer basicsettings

You can add or edit the description of a Symantec NAC Integrated Enforcer or anIntegrated Enforcer group in the Symantec Endpoint Protection Manager Console.You can also add or edit them on the Integrated Enforcer console.

See “Adding or editing the description of an Enforcer group with a Symantec NACIntegrated Enforcer” on page 350.

See “Adding or editing the description of a Symantec NAC Integrated Enforcer”on page 350.

However, you cannot add or edit the name of an Integrated Enforcer group in theSymantec Endpoint Protection Manager Console. You cannot add or edit the IPaddress or host name of an Integrated Enforcer in the Symantec EndpointProtection Manager Console. Instead, you must perform these tasks on the Enforcerconsole.

See “Adding or editing the name of an Enforcer group for Symantec NAC IntegratedEnforcer” on page 349.

You can add or edit the IP address or host name of an Integrated Enforcer in amanagement server list.

See “Adding or editing the IP address or host name of a Symantec NAC IntegratedEnforcer” on page 350.

You must connect the Integrated Enforcer to a Symantec Endpoint ProtectionManager.

See “Connecting the Symantec NAC Integrated Enforcer to a Symantec EndpointProtection Manager” on page 351.

Adding or editing the name of an Enforcer group for Symantec NACIntegrated Enforcer

You can add or edit the name of an Enforcer group of which an Integrated Enforceris a member. You perform these tasks on the Enforcer console during theinstallation. Later, if you want to change the name of an Enforcer group, you cando so on the Enforcer console.

349Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring Symantec NAC Integrated Enforcer basic settings

See “Establishing or changing communication between a Symantec NAC IntegratedEnforcer and Symantec Endpoint Protection Manager servers ” on page 344.


Adding or editing the description of an Enforcer group with a SymantecNAC Integrated Enforcer

You can add or edit the description of an Enforcer group of which a SymantecNAC Integrated Enforcer is a member. You can perform this task on the SymantecEndpoint Protection Manager Console instead of the Integrated Enforcer console.

To addor edit the description of an Enforcer groupwith a SymantecNAC IntegratedEnforcer



3 In the Admin page, under View Servers, select and expand the Enforcer groupwhose name you want to add or edit.


5 In the Settings dialog box, on the General tab, add or edit a description forthe Enforcer group in the Description field.


Adding or editing the IP address or host name of a Symantec NACIntegrated Enforcer

You can only change the IP address or host name of an Integrated Enforcer onthe Enforcer console during the installation. If you want to change the IP addressor host name of an Integrated Enforcer at a later time, you can do so on theIntegrated Enforcer console.

Adding or editing the description of a Symantec NAC IntegratedEnforcer

You can add or edit the description of a Symantec NAC Integrated Enforcer. Youcan perform this task on the Symantec Endpoint Protection Manager Consoleinstead of the Integrated Enforcer console. After you complete this task, thedescription appears in Description field of the Management Server pane.

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring Symantec NAC Integrated Enforcer basic settings

350

To add or edit the description of a Symantec NAC Integrated Enforcer



3 Under View Servers, select and expand the Enforcer group that includes theIntegrated Enforcer whose description you want to add or edit.

4 Select the Integrated Enforcer whose description you want to add or edit.

5 Under Tasks, click Edit Enforcer Properties.

6 In the Enforcer Properties dialog box, add or edit a description for theIntegrated Enforcer in the Description field.

7 Click OK.

Connecting the Symantec NAC Integrated Enforcer to a SymantecEndpoint Protection Manager

Enforcers must be able to connect to servers on which the Symantec EndpointProtection Manager is installed. The Symantec Endpoint Protection Managerincludes a file that helps manage the traffic between clients, Symantec EndpointProtection Managers, and optional Enforcers such as an Integrated Enforcer. Thisfile is called a management server list.

The management server list specifies to which Symantec Endpoint ProtectionManager server an Integrated Enforcer connects. It also specifies to whichSymantec Endpoint Protection server an Integrated Enforcer connects in case ofa management server's failure.


A default management server list includes the management server's IP addressesor host names to which Integrated Enforcers can connect after the initialinstallation. You may want to create a custom management server list before youdeploy any Enforcers. If you create a custom management server list, you canspecify the priority in which an Integrated Enforcer can connect to managementservers.

You can select the specific management server list that includes the IP addressesor host names of those management servers to which you want the IntegratedEnforcer to connect. If there is only one management server at a site, then youcan select the default management server list.

351Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring Symantec NAC Integrated Enforcer basic settings


To connect the Symantec NAC Integrated Enforcer to a Symantec EndpointProtection Manager



3 Under View Servers, select and expand the group of Enforcers.

The Enforcer group must include the Integrated Enforcer for which you wantto change the IP address or host name in a management server list.


5 In the Settings dialog box, on the General tab, under Communication, selectthe management server list that you want this Integrated Enforcer to use.

6 On the General tab, under Communication, click Select.



8 In the General dialog box, click OK.

Editing a Symantec Endpoint Protection Managerconnection

You can update the Symantec Endpoint Protection Manager server address andport information as required.

To edit a Symantec Endpoint Protection Manager connection

1 On the Windows taskbar of the Enforcer computer, click Start > Programs >Symantec Endpoint Protection > Symantec Integrated Enforcer

2 In the left-hand panel, expand Symantec Integrated Enforcer.

3 Expand Configure.

4 Click Management Servers.

5 In the Management Servers panel, click Edit from the icon column that islocated to the right of the management servers list.

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleEditing a Symantec Endpoint Protection Manager connection

352


You can type an IP address, host name, or domain name. If you want to usea host name or a domain name, the Symantec NAC Integrated Enforcer mustconnect to a domain name server (DNS) server.

7 Click OK.

Configuring a trusted vendor listAgents cannot be installed on some network devices such as printers or IPtelephones. To allow for those cases, you can configure a trusted vendor list. Ifthe name of the vendor is considered trusted, then the Symantec NAC IntegratedEnforcer will not authenticate the device. The devices will obtain normal IPaddresses from the DHCP server.

To configure a trusted vendor list


2 In the left-hand panel, click Symantec Integrated Enforcer > Configure >DHCP Trusted Vendors Configuration.

3 To enable the trusted vendor list, check Turn on Trusted Vendors.

When the Turn on Trusted Vendors box is checked, Host Integrity will notbe enforced for DHCP traffic from the selected trusted vendors.

4 Select the vendors you want to establish as trusted vendors.

5 Click Save.

Viewing Enforcer logs on an Enforcer consoleThe Symantec NAC Integrated Enforcer automatically logs messages in theEnforcer Client log and the Enforcer System log. These Enforcer logs are uploadedto the Symantec Endpoint Protection Manager. The client log provides informationabout client connections and communication with the Integrated Enforcer. Thesystem log records information that relates to the Integrated Enforcer itself, suchas instances of starting and stopping the Enforcer service.

In the Symantec Endpoint Protection Manager, you can enable and disable loggingand set log file parameters for the Integrated Enforcer. All logs are enabled andsent to the Symantec Endpoint Protection Manager by default.

353Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring a trusted vendor list

To view Enforcer logs on an Enforcer console

1 In the left pane, expand Symantec NAC Integrated Enforcer.

2 Expand View Logs, and click System Log or click Client Log.

3 To view any changes to the log since you last opened the log, click Refresh.

4 Click OK.

Configuring logs for the Symantec NAC IntegratedEnforcer

Logs for the Symantec NAC Integrated Enforcer are stored on the same computeron which you installed the Symantec NAC Integrated Enforcer. Enforcer logs aregenerated by default.

If you want to view Enforcer logs on the Symantec Endpoint Protection ManagerConsole, you must enable the sending of logs on the Symantec Endpoint ProtectionManager Console. If this option is enabled, the log data is sent from the IntegratedEnforcer to the Symantec Endpoint Protection Manager and stored in a database.

You can modify the log settings for the Integrated Enforcer on the SymantecEndpoint Protection Manager Console. Activities are recorded in the same EnforcerServer log for all Enforcers on a site.

You can configure settings for the following logs that the Integrated Enforcergenerates:

■ Enforcer Server logThe Enforcer Server log provides the information that is related to thefunctioning of an Enforcer.

■ Enforcer Client logThe Client log provides information about interactions between the IntegratedEnforcer and the clients that have tried to connect to the network. It providesinformation on authentication, failed authentication, and disconnection.

Configuring Symantec NAC Integrated Enforcerauthentication settings

You can specify a number of authentication settings for an Integrated Enforcerauthentication session. When you apply these changes, they are automaticallysent to the selected Integrated Enforcer during the next heartbeat.

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring logs for the Symantec NAC Integrated Enforcer

354



Table 20-1 Authentication configuration settings for a Symantec NAC IntegratedEnforcer

DescriptionOption

The maximum number of challenge packets that theIntegrated Enforcer sends in each authentication session.

The default number is 10.



The time (in seconds) between each challenge packet thatthe Enforcer sends.

The default value is 3 seconds.


Time between packets inauthentication session

If this option is enabled, the Enforcer authenticates all usersby checking that they are running a client. It then forwardsthe Integrated request to receive a normal rather than aquarantine network configuration, whether the checks passor fail.




If this option is enabled, the Integrated Enforcer checks forthe operating system of the client. The Integrated Enforcerthen allows all clients that do not run the Windowsoperating systems to receive a normal network configurationwithout being authenticated. If this option is not enabled,the clients receive a quarantine network configuration.




355Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring Symantec NAC Integrated Enforcer authentication settings

Table 20-1 Authentication configuration settings for a Symantec NAC IntegratedEnforcer (continued)

DescriptionOption

If this option is enabled, the Integrated Enforcer verifiesthat the client has received the latest security policies fromthe management server. If the policy serial number is notthe latest, the Integrated Enforcer notifies the client toupdate its security policy. The client then forwards theIntegrated request to receive a quarantine networkconfiguration.

If this option is not enabled and if the Host Integrity checkis successful, the Integrated Enforcer forwards theIntegrated request to receive a normal networkconfiguration. The Integrated Enforcer forwards theIntegrated request even if the client does not have the latestsecurity policy.


See “Having the Symantec NAC Integrated Enforcer checkthe Policy Serial Number on a client” on page 361.

Check the Policy SerialNumber on Client beforeallowing Client into network

This option is displayed but currently unavailable forSymantec NAC Integrated Enforcer.

See “Sending a message from a Symantec NAC IntegratedEnforcer to a client about non-compliance” on page 362.


About authentication sessionsWhen a client tries to access the internal network, the Symantec NAC IntegratedEnforcer first detects whether the client is running a client. If it is, the Enforcerforwards the client DHCP message to the DHCP server to obtain a quarantine IPaddress with a short lease time. This process is used internally by the IntegratedEnforcer for its authentication process.

The Integrated Enforcer then begins its authentication session with the client.An authentication session is a set of challenge packets that the Integrated Enforcersends to a client.

During the authentication session, the Enforcer sends a challenge packet to theclient at a specified frequency. The default setting is every three seconds.

The Integrated Enforcer continues to send packets until one of the followingconditions are met:

■ The Integrated Enforcer receives a response from the client

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring Symantec NAC Integrated Enforcer authentication settings

356

■ The Integrated Enforcer has sent the maximum number of packets specified.The default setting is 10.

The frequency (3 seconds) times the number of packets (10) is the value that isused for the Enforcer heartbeat. The heartbeat is the interval that the IntegratedEnforcer allows the client to remain connected before it starts a new authenticationsession. The default setting is three seconds.

The client sends information to the Integrated Enforcer that contains the followingitems:

■ Unique identification (UID)

■ Its current Profile Serial Number

■ The results of the Host Integrity check

The Integrated Enforcer verifies the client UID and the Policy Serial Number withthe Symantec Endpoint Protection Manager. If the client has been updated withthe latest security policies, its Policy Serial Number matches the one that theIntegrated Enforcer receives from the management server. The Host Integritycheck results show whether or not the client complies with the current securitypolicies.

If the client information passes the authentication requirements, the SymantecNAC Integrated Enforcer forwards its DHCP request to the DHCP server. TheIntegrated Enforcer expects to receive a normal DHCP network configuration.Otherwise the Integrated Enforcer forwards it to the quarantine DHCP server toreceive a quarantine network configuration.

You can install one DHCP server on one computer and configure it to provide botha normal and a quarantine network configuration

After the heartbeat interval or whenever the client tries to renew its IP address,the Integrated Enforcer starts a new authentication session. The client mustrespond to retain the connection to the internal network.

The Integrated Enforcer disconnects the clients that do not respond.

For the clients that were previously authenticated but now fail authentication,the Integrated Enforcer sends a message to the DHCP server. The message is arequest for the release of the current IP address. The Integrated Enforcer thensends a DHCP message to the client. The client then sends a request for a new IPaddress and network configuration to the Integrated Enforcer. The IntegratedEnforcer forwards this request to the quarantine DHCP server.



During the authentication session, the Integrated Enforcer sends a challengepacket to the client at a specified frequency.

The Integrated Enforcer continues to send packets until the following conditionsare met:


■ The Integrated Enforcer has sent the specified maximum number of packets.

The default setting is 10 for the maximum number of challenge packets for anauthentication session.





The Enforcer group must include the Integrated Enforcer for which you wantto specify the maximum number of challenge packets during an authenticationsession.


5 On the Authentication tab, type the maximum number of challenge packetsthat you want to allow during an authentication session in the Maximumnumber of packets per authentication session field.



Specifying the frequency of challenge packets to be sent to clientsDuring the authentication session, the Integrated Enforcer sends a challengepacket to the client at a specified frequency.

The Integrated Enforcer continues to send packets until the following conditionsare met:


■ The Integrated Enforcer has sent the specified maximum number of packets.

The default setting is every 3 seconds.


358





The Enforcer group must include the Integrated Enforcer for which you wantto specify the frequency of challenge packets to be sent to clients.


5 On the Authentication tab, under Authentication Parameters, type themaximum number of challenge packets that you want to the IntegratedEnforcer to keep sending to a client during an authentication session in theTime between packets in authentication session field.



Allowing all clients with continued logging of non-authenticated clientsIt can take some time to deploy all the client software. You may want to configurethe Integrated Enforcer to allow all clients to connect to the network until youhave finished distributing the client package to all users. These users all connectto an Integrated server at the location of this Integrated Enforcer.

The Integrated Enforcer still authenticates all users by checking that they arerunning a client, checking Host Integrity, and logging the results. It forwards theDHCP requests to receive the normal DHCP server network configuration insteadof the quarantine network configuration. This process occurs regardless of whetherthe Host Integrity checks pass or fail.










The Enforcer group must include the Integrated Enforcer for which you wantto allow all clients while continuing the logging of non-authenticated clients.






The Integrated Enforcer cannot authenticate a client that supports a non-Windowsoperating system. Therefore non-Windows clients cannot connect to the networkunless you specifically allow them to connect to the network withoutauthentication.









The Enforcer group must include the Integrated Enforcer for which you wantto allow all non-Windows clients to connect to a network.



360




Having the Symantec NAC Integrated Enforcer check the Policy SerialNumber on a client

The Symantec Endpoint Protection Manager updates a client’s Policy SerialNumber every time that the client's security policy changes. When a client connectsto the Symantec Endpoint Protection Manager, it receives the latest securitypolicies and the latest Policy Serial Number.

When a client tries to connect to the network through the Integrated Enforcer,the Integrated Enforcer retrieves the Policy Serial Number from the SymantecEndpoint Protection Manager. The Integrated Enforcer then compares the PolicySerial Number with the one that it receives from the client. If the Policy SerialNumbers match, the Integrated Enforcer has validated that the client is runningan up-to-date security policy.



■ If the Check the Policy Serial Number on Client before allowing Client intonetwork option is checked, a client must have the latest security policy beforeit can connect to the network through the normal DHCP server. If the clientdoes not have the latest security policy, the client is notified to download thelatest policy. The Integrated Enforcer then forwards its DHCP request to receivea quarantine network configuration.

■ If the Check the Policy Serial Number on Client before allowing Client intonetwork option is not checked and the Host Integrity check is successful, aclient can connect to the network. The client can connect through the normalDHCP server even if its security policy is not up to date.

To have the Symantec NAC Integrated Enforcer check the Policy Serial Number ona client




The Enforcer group must include the Integrated Enforcer that checks thePolicy Serial Number on a client.





Sending a message from a Symantec NAC Integrated Enforcer to aclient about non-compliance

Although this option is displayed, it is currently unavailable for Symantec NACIntegrated Enforcer configuration.

Establishing communication between a SymantecNAC Integrated Enforcer and a Network AccessControl Scanner on an Enforcer console

The Integrated Enforcer can be configured to connect to Network Access ControlScanners. When Network Access Control Scanner is enabled, it checks clientsecurity. If the scanner determines that a client is not running on the clientcomputer, the policy rule is engaged. The client is either allowed or denied accessto the internal network.

Note: Symantec Network Access Control Scanner does not support a printerconnection to Symantec NAC Integrated Enforcers. Printers do not accept thestatic routes that are configured for a Symantec NAC Integrated Enforcer.Therefore the Symantec Network Access Control Scanner cannot communicatewith a printer that is connected to an Integrated Enforcer.

Note: The Integrated Enforcer service needs to be restarted after you enable ordisable the scanner.

To establish communication between a Symantec NAC Integrated Enforcer and aNetwork Access Control Scanner from the Enforcer console


2 In the left-hand panel, click Symantec Integrated Enforcer > Configure >Network Access Control Scanner.

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleEstablishing communication between a Symantec NAC Integrated Enforcer and a Network Access Control Scanner onan Enforcer console

362

3 To enable network scanners, check Turn on NAC scanner.

4 To add or edit a Network Access Control Scanner, click Add.

5 Enter the address, hostname, or DNS name in the Add/Edit managementserver dialog of the NAC scanner and click OK.

6 Enter the encryption password that is configured on the scanner.

The preshared secret or encrypted password must match the preshared secretor encrypted password that is defined on the scanner.

To display the letters and numbers of the preshared key instead of asterisks,check Unmask.

7 After scanner addresses are added to the Address list, you may modify thelist by clicking Edit, Remove, Remove all, Move Up, or Move down.

The Integrated Enforcer connects to the NAC scanners in the order they arelisted in the NAC Scanner Address list.

8 Click OK to complete NAC Scanner Address list and configuration.

The Integrated Enforcer service needs to be restarted after you enable ordisable the scanner.

Configuring Symantec NAC Integrated Enforceradvanced settings

You can configure the following Integrated Enforcer advanced configurationsettings:

■ Timeout parameters, Authentication timeout, and DHCP message timeoutAlthough these options are displayed, they are currently unavailable forSymantec NAC Integrated Enforcer configuration.

■ MAC addresses for the trusted hosts that the Integrated Enforcer allows toconnect to the normal DHCP server without authenticationSee “Enabling servers, clients, and devices to connect to the network as trustedhosts without authentication” on page 364.

■ Enabling local authenticationSee “Enabling local authentication on the Integrated Enforcer” on page 365.

When you apply any of these configuration settings, the changes are sent to theselected Symantec NAC Integrated Enforcer during the next heartbeat.

363Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring Symantec NAC Integrated Enforcer advanced settings

Enabling servers, clients, and devices to connect to the network astrusted hosts without authentication

A trusted host is typically a server that cannot install the client software such asa non-Windows server, or a device, such as a printer. You may also want to identifynon-Windows clients as trusted hosts because the Integrated Enforcer is unableto authenticate any clients that do not run the Symantec Endpoint Protectionclient or the Symantec Network Access Control client.

You can use MAC addresses to designate certain servers, clients, and devices astrusted hosts.

When you designate servers, clients, and devices as trusted hosts, the IntegratedEnforcer passes all DHCP messages from the trusted host to the normal DHCPserver without authenticating the trusted host.

To enable servers, clients, and devices to connect to the network as trusted hostswithout authentication




4 Select the Integrated Enforcer that permits servers, clients, and the devicesthat have been designated as trusted hosts to connect to the network withoutauthentication.


6 In the Settings dialog box, on the Advanced tab, under Trusted Hosts, clickAdd.

7 In the Add Trusted Host dialog box, type the MAC address for the client orthe trusted host in the Host MAC address field.

You can also copy a set of MAC addresses from a text file.

When you specify a MAC address, you can use a wildcard character if youtype it for all three fields on the right.

For example, 11-22-23-*-*-* represents the correct use of the wildcardcharacter. However, 11-22-33-44-*-66 does not represent the correct use ofthe wildcard character.

8 Click OK.

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring Symantec NAC Integrated Enforcer advanced settings

364

9 In the Settings dialog box, on the Advanced tab, click OK.

The MAC address for the trusted host that you added now appears in theSettings dialog box in the MAC Address area.

10 Click OK.

Enabling local authentication on the Integrated EnforcerWith local authentication enabled, if the Integrated Enforcer loses its connectionwith the client on which the Symantec Endpoint Protection Manager is installed,the Integrated Enforcer authenticates clients locally. In this case, the IntegratedEnforcer considers the client a valid user and only checks the client’s Host Integritystatus.

Note: If the Integrated Enforcer does not lose its connection with the SymantecEndpoint Protection Manager server, it always asks the Symantec EndpointProtection Manager server to verify the client’s UID regardless of whether localauthentication is enabled or disabled.

To enable local authentication on the Integrated Enforcer



3 Under View Servers, select and expand the group of Integrated Enforcers.



6 Click OK.

Stopping and starting communication servicesbetween an Integrated Enforcer and a managementserver

For troubleshooting purposes, you can stop and start either the Enforcer serviceor the service (SNACLink.exe) that communicates with the Symantec EndpointProtection Manager. If you stop the Enforcer service, the Integrated Enforcerremoves the compliance information for existing clients. It also stops collectinginformation for new clients. However, it continues to communicate with aSymantec Endpoint Protection Manager.

365Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleStopping and starting communication services between an Integrated Enforcer and a management server

If the Symantec Endpoint Protection Manager is unavailable, the IntegratedEnforcer still enforces the policy version and GUID for all authenticated clients.The same process is followed if you stop the connection to the Symantec EndpointProtection Manager. This information is stored in the local cache (but only if cacheis enabled). It automatically authenticates new clients (based on their host integritystatus) but it skips the GUID and policy verification.

As soon as the communication to the Symantec Endpoint Protection Manager isreestablished, the Integrated Enforcer updates the policy version. It alsoauthenticates the clients that have been added since the connection was lost.

Note: You can configure the Symantec NAC Integrated Enforcer to quarantinenew clients instead of authenticating them while the Symantec Endpoint ProtectionManager connection is unavailable. You accomplish this goal by changing thedefault value of the DetectEnableUidCache key in the registry.

Stopping the Integrated Enforcer does not affect the DHCP server. If the IntegratedEnforcer is stopped, the DHCP server functions as if no Enforcer was ever installed.If the DHCP server becomes unavailable, the Integrated Enforcer stops collectingcompliance status about new clients. However, it continues to communicate withexisting clients and continues to log status changes. The DHCP server may becomeunavailable because of maintenance and other problems.

To stop and start the communication services between an Integrated Enforcer anda management server

1 Start the Symantec NAC Integrated Enforcer.

2 Click Symantec NAC Integrated Enforcer.

3 Perform one or both of the following tasks:

■ In the Enforcer service group box, click Stop.This option stops the Enforcer service.

■ In the Management server communication service group box, click Stop.This option stops the Enforcer service that connects to the SymantecEndpoint Protection Manager.

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleStopping and starting communication services between an Integrated Enforcer and a management server

366

If the status is set to Stopped, the service is not running.

4 To restart either service, click Start.

If you turn off or restart the computer to which a Symantec NAC IntegratedEnforcer is connected, the Enforcer service restarts automatically when thecomputer restarts.

If the server communication service is stopped and subsequently restarted,the Symantec NAC Integrated Enforcer tries to connect to a SymantecEndpoint Protection Manager to which it last connected. If that SymantecEndpoint Protection Manager is unavailable, the Integrated Enforcer connectsto the first management server that is listed in the management server list.

Disconnecting an Integrated Lucent Enforcer from amanagement server on an Enforcer console

You may need to disconnect an Integrated Lucent Enforcer from a managementserver under the following circumstances:

■ Troubleshooting an Integrated Lucent Enforcer.

■ Troubleshooting a management server.

Warning: Be sure to stop the Enforcer service before you try to disconnect anIntegrated Lucent Enforcer from a management server. Clients may no longer beable to connect to the network unless you have set up failover management servers.

If you want to disconnect an Integrated Lucent Enforcer from a managementserver, you need to delete the IP address, host name, or domain name from thedesignated management server list.

You can perform this task on an Enforcer console or on a management serverconsole.

To disconnect an Integrated Lucent Enforcer from a management server on anEnforcer console

1 On the Windows taskbar of the Enforcer computer, click Start > Programs >Symantec Endpoint Protection > Symantec Integrated Lucent Enforcer.

2 In the left-hand panel, expand Symantec Lucent Enforcer.

3 Expand Configure.


367Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleDisconnecting an Integrated Lucent Enforcer from a management server on an Enforcer console

5 In the Management Servers panel, select the management server that youwant to disconnect from the Integrated Lucent Enforcer.

6 In the icon column that is located to the right of the management serverslist, click Remove or Remove All.

7 Click Save.

Configuring a secure subnet maskThe Integrated Enforcer Advanced Settings configuration page allows users tobypass quarantine and communicate with the legacy 5.1.x Symantec PolicyManager server.

Note: The secure subnet mask (255.255.255.255) option is only available with theSymantec NAC Integrated Enforcer for Microsoft DHCP Servers.

To connect to a legacy Symantec Endpoint Protection Manager server

1 Check the option to Usesecuresubnetmask(255.255.255.255)forquarantineIP address, or uncheck to use the default subnet 255.255.255.0

2 Click OK to save your configurations.

Configuring the Symantec NAC Integrated Enforcers on the Enforcer consoleConfiguring a secure subnet mask

368

Installing and configuring theSymantec NAC IntegratedEnforcer for MicrosoftNetwork Access Protection

■ Chapter 21. Introducing the Symantec NAC Integrated Enforcer for MicrosoftNetwork Access Protection

■ Chapter 22. Planning for the installation of the Symantec NAC IntegratedEnforcer for Microsoft Network Access Protection

■ Chapter 23. Installing the Symantec NAC Integrated Enforcer for MicrosoftNetwork Access Protection

■ Chapter 24. Configuring the Symantec NAC Integrated Enforcer for MicrosoftNetwork Access Protection on an Enforcer console

■ Chapter 25. Configuring the Symantec NAC Integrated Enforcer for MicrosoftNetwork Access Protection on a Symantec Endpoint Protection Managerconsole

5Section

Introducing the SymantecNAC Integrated Enforcer forMicrosoft Network AccessProtection


■ About the Integrated Enforcer for Microsoft Network Access Protection

About the Integrated Enforcer forMicrosoft NetworkAccess Protection

The Integrated Enforcer for Microsoft Network Access Protection (NAP) works inconcert with the Microsoft Windows Network Policy Server (NPS) on a MicrosoftWindows Server 2008. The Symantec Integrated NAP Enforcer ensures that theclients that try to connect to the network comply with configured security policies.

NAP restricts access to networks by creating a controlled environment. It checksthe security posture of a client before the client can connect to the enterprisenetwork. If a client is noncompliant, NAP either corrects the security posture orlimits access to endpoints that do not meet a company's security policy.

Network Access Protection is a client health policy creation, enforcement, andremediation technology that is included in the Windows Server 2008 operatingsystem. System administrators can create and automatically enforce securityhealth policies. These security health policies may include software requirements,security update requirements, required computer configurations, and othersettings. Client computers that are not in compliance with a security health policy

21Chapter

can be provided with restricted network access until their configuration is updatedand brought into compliance with a policy. Depending on how you choose to deployNAP, noncompliant clients can be automatically updated so that users can quicklyregain full network access without manually updating or reconfiguring theircomputers.

If you configure a Network Policy Server (NPS) as a Network Access Protection(NAP) policy server, NPS evaluates statements of health (SoH) that are sent byNAP-capable client computers that want to connect to the network. You canconfigure NAP policies on NPS that allow client computers to update theirconfiguration to become compliant with your organization’s network policy.

NAP can help you solve the following problems by:

■ Checking adherence to endpoint security policies

■ Controlling guest access

■ Authenticating end users

Introducing the Symantec NAC Integrated Enforcer for Microsoft Network Access ProtectionAbout the Integrated Enforcer for Microsoft Network Access Protection

372

Planning for the installationof the Symantec NACIntegrated Enforcer forMicrosoft Network AccessProtection


■ About planning for the installation of the Symantec Integrated NAP Enforcer

■ Required components for an Symantec Integrated NAP Enforcer

■ Hardware requirements for a Symantec Integrated NAP Enforcer

■ Operating system requirements for a Symantec Integrated NAP Enforcer

■ Operating system requirements for a Symantec Network Access Control client

About planning for the installation of the SymantecIntegrated NAP Enforcer

You must meet a number of requirements before the Integrated Enforcer forMicrosoft Network Access Protection (NAP) can become operational. Therequirements apply to both hardware and software, as well as other softwarecomponents, including third-party applications.

22Chapter



Required components for an Symantec IntegratedNAP Enforcer

The Symantec Integrated NAP Enforcer works with the Microsoft DHCP Server,the Symantec Endpoint Protection Manager, and the Symantec Network AccessControl client with Network Access Protection enabled. The Symantec IntegratedNAP Enforcer verifies that the clients comply with configured security policiesbefore any clients can connect to a network.

The following required components must be installed before you can use theSymantec Integrated NAP Enforcer:

Required to create security policies in acentralized location and assign them to clients.

Symantec Endpoint Protection Managerversion 11.0.2

Required installation of the Microsoft WindowsServer with the DHCP Server service and theNetwork Policy Server service. These two servicesmust be installed and configured before you caninstall the Symantec Integrated NAP Enforcer.

Windows 2008 server

DHCP Server service as well as theNetwork Policy Server (NPS) servicemust also be installed on the samecomputer

Required installation of the Domain Controlleron the same computer as the Symantec EndpointProtection Manager or on a different computerthat supports Microsoft Windows Server 2003.

Domain Controller

Required to authenticate clients and enforcesecurity policies.

Symantec Integrated NAP Enforcer

Required installation of the Symantec NetworkAccess Control client.

Symantec Network Access Controlclient

Hardware requirements for a Symantec IntegratedNAP Enforcer

The Symantec Integrated NAP Enforcer includes RAM, processor, storage, monitor,network adapter, and network interface card hardware requirements.

Planning for the installation of the Symantec NAC Integrated Enforcer for Microsoft Network Access ProtectionRequired components for an Symantec Integrated NAP Enforcer

374



■ 256-MB memory






■ 512-MB memory





Operating system requirements for a SymantecIntegrated NAP Enforcer

The Symantec Integrated NAP Enforcer requires that the following operatingsystem and services are installed:

■ Windows 2008 server Standard Edition and Windows 2008 server EnterpriseEdition

■ You can select one of the following configurations:

■ Windows Server 2008 DHCP service if you plan to use DHCP enforcementThe Windows 2008 DHCP service should be located on the same computeras the Windows Server 2008 Network Policy Server.

■ Windows DHCP service if you plan to use 802.1x enforcementThe Windows DHCP service can be located on the same computer as theWindows Server 2008 Network Policy Server. You can also configure theDHCP service on a separate computer that you have configured as aWindows 2008 DHCP server or a Windows 2003 DHCP server.

■ Windows Server 2008 Network Policy Server (NPS) service

375Planning for the installation of the Symantec NAC Integrated Enforcer for Microsoft Network Access ProtectionOperating system requirements for a Symantec Integrated NAP Enforcer

Operating system requirements for a SymantecNetwork Access Control client

The Symantec Network Access Control client requires one of the followingoperating systems to be installed on the client computer:

■ Windows Vista (x86) Home Basic Edition, Home Premium Edition, BusinessEdition, Enterprise Edition, Ultimate Edition

■ Windows Vista Home Basic x64 Edition, Home Premium x64 Edition, Businessx64 Edition, Enterprise x64 Edition, Ultimate x64 Edition

■ Windows Vista (x86) with Service Pack 1 Home Basic Edition, Home PremiumEdition, Business Edition, Enterprise Edition, Ultimate Edition

■ Windows Vista with Service Pack 1 Home Basic x64 Edition, Home Premiumx64 Edition, Business x64 Edition, Enterprise x64 Edition, Ultimate x64 Edition

■ XP Professional with Service Pack 3

Planning for the installation of the Symantec NAC Integrated Enforcer for Microsoft Network Access ProtectionOperating system requirements for a Symantec Network Access Control client

376

Installing the SymantecNAC Integrated Enforcer forMicrosoft Network AccessProtection


■ Before you install the Symantec Integrated NAP Enforcer

■ Installing the Symantec Integrated NAP Enforcer

Before you install the Symantec Integrated NAPEnforcer

Before you install the Symantec Integrated NAP Enforcer, you must have completedthe following installation and configuration tasks:

■ Installation of the Symantec Endpoint Protection Manager

Note: It is recommended that you install the Symantec Endpoint ProtectionManager before you install the Symantec Integrated NAP Enforcer. TheSymantec Endpoint Protection Manager must be installed before the SymantecIntegrated NAP Enforcer can work properly.

See the Installation Guide for Symantec Enterprise Protection and SymantecNetwork Access Control on how to install the Symantec Endpoint ProtectionManager.

23Chapter

■ Verification of hardware and software requirements for the computer on whichyou plan to install the following components:

■ DHCP Server service

■ Network Access Protection Server service

■ Domain Controller

■ Symantec Integrated NAP Enforcer

See “Required components for an Symantec Integrated NAP Enforcer”on page 374.

Installing the Symantec Integrated NAP EnforcerYou must install the Symantec Integrated NAP Enforcer on the same computeron which you have already installed the Microsoft Windows server operatingsystem. The DHCP Server service and the Network Access Protection Server serviceshould have already been installed and configured on the same computer. Youmust log in as an administrator or a user in the administrators group.

Note:After you complete the installation of the Symantec Integrated NAP Enforcer,you must connect to the Symantec Endpoint Protection Manager.

You can install the Symantec Integrated NAP Enforcer by using the InstallationWizard.

See “To install the Symantec Integrated NAP Enforcer with the InstallationWizard” on page 378.

To install the Symantec Integrated NAP Enforcer with the Installation Wizard

1 Insert the installation CD for Symantec Network Access Control into theCD-ROM drive to start the installation automatically.

If the installation does not start, click IntegratedEnforcerInstaller.exe.

You must exit the installation and install the NAP server if the NAP serveris not already installed.

If the NAP Server service is already installed, the Welcome to SymantecIntegrated NAP Enforcer Installation Wizard appears.

2 In the Welcome panel, click Next.


4 Click Next.


Installing the Symantec NAC Integrated Enforcer for Microsoft Network Access ProtectionInstalling the Symantec Integrated NAP Enforcer

378

■ If you want to accept the default destination folder, click Next.The application is automatically installed in the C:\ProgramFiles\Symantec\Integrated Enforcer\ folder.

■ Click Browse to locate and select a destination folder, click OK, and clickNext.

6 If the Role Selection panel appears, select NAPEnforcement and click Next.



If you need to modify any of the previous settings, click Back.

8 Click Finish.

If you need to reinstall the Symantec Integrated NAP Enforcer, you must firstuninstall it.

See “To uninstall the Symantec Integrated NAP Enforcer” on page 379.

See “To uninstall the Symantec Integrated NAP Enforcer from the commandline” on page 380.

9 Click Start > Programs > Symantec Enterprise Protection > SymantecIntegrated Enforcer.

To uninstall the Symantec Integrated NAP Enforcer




4 When asked whether you want to restart the NAP server, do one of thefollowing tasks:

■ To restart the NAP server immediately, click Yes.

■ To restart the NAP service manually later (the default), click No.If you restart the NAP service later, you must stop and then start it.You must restart the NAP service to completely uninstall the SymantecIntegrated Enforcer.

379Installing the Symantec NAC Integrated Enforcer for Microsoft Network Access ProtectionInstalling the Symantec Integrated NAP Enforcer

To uninstall the Symantec Integrated NAP Enforcer from the command line


2 At the command prompt, type: MsiExec.exe /qn

/X{A145EB45-0852-4E18-A9DC-9983A6AF2329}

3 Restart NAP Server

To stop and start the NAP server manually


2 Click NAP Server.


4 Click Start.

Installing the Symantec NAC Integrated Enforcer for Microsoft Network Access ProtectionInstalling the Symantec Integrated NAP Enforcer

380

Configuring the SymantecNAC Integrated Enforcer forMicrosoft Network AccessProtection on an Enforcerconsole


■ About configuring a Symantec Integrated NAP Enforcer on an Enforcer console

■ Connecting a Symantec Integrated NAP Enforcer to a management server onan Enforcer console

■ Encrypting communication between a Symantec Integrated NAP Enforcer anda management server

■ Setting up an Enforcer group name on the Symantec Integrated NAP Enforcerconsole

■ Setting up an HTTP communication protocol on the Symantec Integrated NAPEnforcer console

24Chapter

About configuring a Symantec Integrated NAPEnforcer on an Enforcer console

After you complete the installation of the Symantec Integrated NAP Enforcer,you must perform the following tasks before the Symantec Integrated NAPEnforcer can become operational:

■ Specify at least one Symantec Endpoint Protection Manager to which theSymantec Integrated NAP Enforcer can connect.You include the host name or IP address of the Symantec Endpoint ProtectionManager in a file that is called a management server list. The SymantecIntegrated NAP Enforcer must connect to an IP address or host name of aSymantec Endpoint Protection Manager. Otherwise the configuration fails.See “Connecting a Symantec Integrated NAP Enforcer to a management serveron an Enforcer console” on page 382.

■ Add an encrypted password or a preshared secret that you configured duringthe installation of the Symantec Endpoint Protection Manager.The encrypted password was previously known as a preshared key.See “Encrypting communication between a Symantec Integrated NAP Enforcerand a management server” on page 384.

■ Set up an Enforcer group nameSee “Setting up an Enforcer group name on the Symantec Integrated NAPEnforcer console” on page 385.

■ Set up an HTTP communication protocolSee “Setting up an HTTP communication protocol on the Symantec IntegratedNAP Enforcer console” on page 386.

Connecting a Symantec Integrated NAP Enforcer toa management server on an Enforcer console

You need to connect a Symantec Integrated Network Access Protection Enforcerto a management server on a Network Access Protection Enforcer console.

Configuring the Symantec NAC Integrated Enforcer for Microsoft Network Access Protection on an Enforcer consoleAbout configuring a Symantec Integrated NAP Enforcer on an Enforcer console

382

To connect a Symantec Integrated NAP Enforcer to a management server on anEnforcer console

1 On the Windows taskbar of the Enforcer computer, click Start > Programs >Symantec Endpoint Protection > Symantec Integrated NAP Enforcer.

The Symantec Integrated NAP Enforcer console appears. The main pageshows the connection status between the Symantec Integrated NAP Enforcerand the Symantec Endpoint Protection Manager. A green light indicates thatSymantec Integrated NAP Enforcer is actively connected to a managementserver. A red light indicates that the connection failed.

2 In the left-hand panel, expand Symantec NAP Enforcer.

3 In the left-hand panel, expand Configure.

4 In the left-hand panel, click Management Servers.

5 In the Management Servers panel, click Add from the icon column that islocated to the right of the management servers list.


You can type an IP address, host name, or domain name. If you want to usea domain name, the Symantec Integrated NAP Enforcer must connect to adomain name server (DNS) server.

7 In the Add/Edit Management Server dialog box, edit the port number thatthe Symantec Integrated NAP Enforcer uses to communicate with theSymantec Endpoint Protection Manager.

The default port number is 80 for the HTTP protocol and 443 for the HTTPSprotocol. You can only use the HTTPS protocol if it is configured in the sameway on the Symantec Endpoint Protection Manager.

8 Click OK.

9 In the Add/Edit management server dialog box, select a different managementserver.

You can change the order of the management servers that the SymantecIntegrated NAP Enforcer uses to connect to a Symantec Endpoint ProtectionManager.

383Configuring the Symantec NAC Integrated Enforcer for Microsoft Network Access Protection on an Enforcer consoleConnecting a Symantec Integrated NAP Enforcer to a management server on an Enforcer console

10 Click Moveup or Movedown arrows from the icon column that is located tothe right of the management servers list.

When a Symantec Integrated NAP Enforcer connects to a Symantec EndpointProtection Manager for the first time, it tries to connect to the firstmanagement server that is listed in the management server list. If themanagement server is not available, the Symantec Integrated NAP Enforcerconnects to the next management server that appears in the managementserver list.

11 To edit a management server, click Edit from the icon column and modifythe management server address or port information.

To remove a Symantec Endpoint Protection Manager from a management serverlist on a Symantec Integrated NAP Enforcer console



3 Expand Configure.


5 To remove a Symantec Endpoint Protection Manager, click Remove or RemoveAll from the icon column.

Encrypting communication between a SymantecIntegrated NAP Enforcer and a management server

If you want to add another layer of security, you can secure communicationbetween the Symantec Integrated NAP Enforcer and the Symantec EndpointProtection Manager through encryption. Encrypted communication requires theuse of the HTTPS protocol instead of the HTTP protocol. You also need to purchasea third-party certificate from a vendor.

You typically configure an encrypted password during the installation of theSymantec Endpoint Portection Manager for the first time. The same passwordmust be configured on the Symantec Integrated NAP Enforcer. If the encryptedpasswords do not match, communication between the Symantec Integrated NAPEnforcer and the Symantec Endpoint Protection Manager fails.

Configuring the Symantec NAC Integrated Enforcer for Microsoft Network Access Protection on an Enforcer consoleEncrypting communication between a Symantec Integrated NAP Enforcer and a management server

384

To encrypt communication between a Symantec Integrated NAP Enforcer and amanagement server



3 Expand Configure.


5 Type the encrypted password in the Encrypted Password text box on theSymantec Integrated NAP Enforcer console.

The Symantec Integrated NAP Enforcer must use the same encryptedpassword for communication with the Symantec Endpoint Protection Manager.The encrypted password is always configured during the installation of theSymantec Endpoint Protection Manager.

6 Check Unmask.

The letters and numbers of the encrypted password now appear instead ofasterisks.

7 Click OK.

Setting up an Enforcer group name on the SymantecIntegrated NAP Enforcer console

You must add a name for the Enforcer group. After the Symantec Integrated NAPEnforcer connects to a Symantec Endpoint Protection Manager, it registers thename of the Enforcer group automatically on the management server.

To set up an Enforcer groupnameon the Symantec IntegratedNAPEnforcer console



3 Expand Configure.


385Configuring the Symantec NAC Integrated Enforcer for Microsoft Network Access Protection on an Enforcer consoleSetting up an Enforcer group name on the Symantec Integrated NAP Enforcer console

5 In the right-hand panel, type the name of the Enforcer group in the Preferredgroup text box on the Symantec Integrated NAP Enforcer console.

If you do not add a name for the Integrated Enforcer group on the Enforcerconsole, then all Integrated Enforcers automatically become part of theTemporary group on the management server. If you add the name of theIntegrated Enforcer group on the Enforcer console, then the name of theEnforcer group is automatically registered on the management server.

6 Click OK.

Setting up an HTTP communication protocol on theSymantec Integrated NAP Enforcer console

You need to establish a communication protocol between the Symantec IntegratedNAP Enforcer and the Symantec Endpoint Protection Manager. Otherwise thecommunication between the Symantec Integrated NAP Enforcer and the SymantecEndpoint Protection Manager fails.

You can set up a HTTP or HTTPS protocol. If you select the HTTPS protocol, youneed to purchase a certificate from a third-party vendor.

To set upanHTTPcommunicationprotocol on theSymantec IntegratedNAPEnforcerconsole



3 Expand Configure.


5 In the right-hand panel of the Symantec Integrated NAP Enforcer console,click HTTP.

If you want to set up encrypted communication between the SymantecIntegrated NAP Enforcer and the Symantec Endpoint Protection Manager,you must use the HTTPS protocol.

6 If you need to verify the certificate because you use the HTTPS protocol,check Verify certificate when using HTTPS protocol.

7 Click OK.

Configuring the Symantec NAC Integrated Enforcer for Microsoft Network Access Protection on an Enforcer consoleSetting up an HTTP communication protocol on the Symantec Integrated NAP Enforcer console

386

Configuring the SymantecNAC Integrated Enforcer forMicrosoft Network AccessProtection on a SymantecEndpoint ProtectionManager console


■ About configuring the Symantec Integrated NAP Enforcer on a SymantecEndpoint Protection Manager Console

■ Enabling NAP enforcement for clients

■ Verifying that the management server manages the client

■ Verifying Security Health Validator policies

■ Verifying that the clients passes the Host Integrity check

■ Enabling local authentication on the Symantec Integrated NAP Enforcer

■ Configuring logs for the Symantec Integrated NAP Enforcer

25Chapter

About configuring the Symantec Integrated NAPEnforcer on aSymantec Endpoint ProtectionManagerConsole

If you want to support the Symantec Integrated NAP Enforcer in a networkenvironment, you must enable NAP enforcement on the Symantec EndpointProtection Manager. Otherwise the Enforcer will work incorrectly.

You also need to define one or more criteria for the Security Health Validatorpolicy requirements. For example, you can verify whether or not the client'sSecurity Health Validator policy is the latest one that has been installed on aclient. If it is not the latest Security Health Validator policy, then the client isblocked and is therefore unable to connect to the network.

Enabling NAP enforcement for clientsYou must enable NAP enforcement for Symantec Endpoint Protection andSymantec Network Access Control clients. If you do not enable Network AccessProtection (NAP) enforcement for clients, the Symantec Integrated NAP Enforcercannot implement any Security Health Validator policies.

To enable NAP enforcement for clients

1 In the Symantec Endpoint Protection Manager Console, click Clients.

2 In the Clients page, under View Groups, select the group for which you wantto enable NAP enforcement.

3 On the Policies tab, click General Settings.

4 In the Settings dialog box, click Security Settings.

5 On the Security Settings tab, in the Enforce Client area, check Enable NAPEnforcement.

The Enable NAP Enforcement setting is disabled by default.

6 Click OK.

Verifying that the management server manages theclient

You can set up a verification check to ensure that the Symantec EndpointProtection Manager manages the Symantec Endpoint Protection client or theSymantec Network Access Control client.

Configuring the Symantec NAC Integrated Enforcer for Microsoft Network Access Protection on a Symantec EndpointProtection Manager consoleAbout configuring the Symantec Integrated NAP Enforcer on a Symantec Endpoint Protection Manager Console

388

To verify that the management server manages the client



3 In the Admin page, under View, select the Enforcer group for which you wantto verify that the management server manages the client.

4 Right-click the Enforcer group and select Edit Properties.

5 In the Client Information area on the NAP Setting tab in the I-DHCP Settingsdialog, check Verify that the management server manages the client.

The Verify that the management server manages the client setting is disabledby default.

6 In the Client Information area on the NAP Setting tab in the I-DHCP Settingsdialog, click OK.

Verifying Security Health Validator policiesYou can make sure that the Symantec Endpoint Protection and Symantec NetworkAccess Control clients have the latest Security Health Validator policies installed.

To verify Security Health Validator policies



3 In the Admin page, under View, select the group for which you want to setup Security Health Validator policies.


5 In the Client Information area on the NAP Setting tab in the I-DHCP Settingsdialog, check Verify that the Security Health Validator policy is current.

The Verify that the Security Health Validator policy is current setting isdisabled by default.

6 Click OK.

Verifying that the clients passes the Host Integritycheck

You can set up a compliance check for clients on the Symantec Endpoint ProtectionManager.

389Configuring the Symantec NAC Integrated Enforcer for Microsoft Network Access Protection on a Symantec EndpointProtection Manager console

Verifying Security Health Validator policies

To verify that the clients passes the Host Integrity check



3 In the Admin page, under View, select the Enforcer group for which you wantto verify that the client has passed the Host Integrity check.


5 In the Host Integrity Status area on the NAP Setting tab in the I-DHCP Settingsdialog, check Verify that the client passes the Host Integrity check.

The Verify that the client passes the Host Integrity check setting is disabledby default.

6 Click OK.

Enabling local authentication on the SymantecIntegrated NAP Enforcer

With local authentication enabled, if the Symantec Integrated NAP Enforcer losesits connection with the client on which the Symantec Endpoint Protection Manageris installed, the Symantec Integrated NAP Enforcer authenticates clients locally.In this case, the Symantec Integrated NAP Enforcer considers the client a validuser and only checks the client’s Host Integrity status.

Note: If the Symantec Integrated NAP Enforcer does not lose its connection withthe Symantec Endpoint Protection Manager server, it always asks the SymantecEndpoint Protection Manager server to verify the client’s UID regardless ofwhether local authentication is enabled or disabled.

To enable local authentication on the Symantec Integrated NAP Enforcer



3 Under View Servers, select and expand the group of Symantec IntegratedNAP Enforcers.



6 Click OK.

Configuring the Symantec NAC Integrated Enforcer for Microsoft Network Access Protection on a Symantec EndpointProtection Manager consoleEnabling local authentication on the Symantec Integrated NAP Enforcer

390

Configuring logs for the Symantec Integrated NAPEnforcer

Logs for the Symantec Integrated NAP Enforcer are stored on the same computeron which you installed the Symantec Integrated NAP Enforcer. Enforcer logs aregenerated by default.

If you want to view Enforcer logs on the Symantec Endpoint Protection ManagerConsole, you must enable the sending of logs on the Symantec Endpoint ProtectionManager Console. If this option is enabled, the log data is sent from the SymantecIntegrated NAP Enforcer to the Symantec Endpoint Protection Manager and storedin a database.

You can modify the log settings for the Symantec Integrated NAP Enforcer on theSymantec Endpoint Protection Manager Console. Activities are recorded in thesame Enforcer Server log for all Enforcers on a site.

You can configure settings for the following logs that the Symantec IntegratedNAP Enforcer generates:

■ Enforcer Server log

■ Enforcer Client logThe Client log provides information about interactions between the IntegratedEnforcer and the clients that have tried to connect to the network. It providesinformation on authentication, failed authentication, and disconnection.

391Configuring the Symantec NAC Integrated Enforcer for Microsoft Network Access Protection on a Symantec EndpointProtection Manager console

Configuring logs for the Symantec Integrated NAP Enforcer

Configuring the Symantec NAC Integrated Enforcer for Microsoft Network Access Protection on a Symantec EndpointProtection Manager consoleConfiguring logs for the Symantec Integrated NAP Enforcer

392

Administering enforcers fromthe Symantec EndpointProtection Manager console

■ Chapter 26. Managing Enforcers on the Symantec Endpoint Protection Managerconsole

6Section

Managing Enforcers on theSymantec EndpointProtection Manager console


■ About managing Enforcers on the management server console

■ About managing Enforcers from the Servers page

■ About Enforcer groups

■ About the Enforcer information that appears on the Enforcer console

■ Displaying information about the Enforcer on the management console

■ Changing an Enforcer’s name and description

■ Deleting an Enforcer or an Enforcer group

■ Exporting and importing Enforcer group settings

■ Pop-up messages for blocked clients

■ About client settings and the Enforcer

■ Configuring clients to use a password to stop the client service

26Chapter

AboutmanagingEnforcers on themanagement serverconsole

The Symantec Enforcer settings on the management server console help youconfigure the Enforcer, its authentication interactions, and enforcementinteractions with clients. Before you configure the Enforcer settings on the console,you complete the installation and setup of the Enforcer on the Enforcer applianceor computer.

The Enforcer settings on the Symantec Endpoint Protection Manager Consoledepend on which type of Enforcer you configure: Gateway, LAN, or DHCP appliance.Therefore, the settings for each are covered separately.

You do most Enforcer configuration and administration from the console. MostEnforcer configuration settings can only be changed on the console. However,some Enforcer settings require you to edit an Enforcer file on the Enforcercomputer rather than on the console. Almost all settings for Enforcers are setfrom the Servers page on the console. The LAN Enforcer has a few additionalrequired settings on the Policies page.

If you administer multiple Enforcers and are responsible for other tasks, it isgenerally more convenient to administer them all in one centralized location. Theconsole provides this capability. You can log on to a console to display informationabout all Enforcers.

You must perform a few tasks on the computer on which the Enforcer is installed.The tasks include using the Enforcer local console rather than the managementconsole and hardware maintenance tasks. For example, you troubleshoot anEnforcer and a console connection on the Enforcer itself. To define the problem,you may need to physically check the status of the Enforcer computer hardwareor change its network connection.

This chapter does not include information on how to configure the SymantecEnforcement client, which is a separate component from the Enforcer.

About managing Enforcers from the Servers pageThe Servers page on the management console lists installed Enforcers, along withconnected servers and consoles, in the View Servers pane. Each Enforcer is listedunder a group name. You edit Enforcer properties at the group level.

See “Changing an Enforcer’s name and description” on page 400.

You need full system administrator privileges to view the Servers page.

Managing Enforcers on the Symantec Endpoint Protection Manager consoleAbout managing Enforcers on the management server console

396

About Enforcer groupsEnforcer configuration on the console is done at the Enforcer group level ratherthan at the individual Enforcer level. Enforcers are listed under a group name onthe console Servers page.

Enforcer groups are a way to synchronize Enforcer settings. All Enforcers in agroup share the same settings (properties). To update the Enforcer properties,you must select the group name in the View Servers pane and edit the groupproperties.

How the console determines the Enforcer group nameWhen you set up the console connection on the Enforcer local console, you canspecify a group name. The Enforcer registers itself with the console afterestablishing the connection. The console automatically assigns the Enforcer tothe specified group and lists the Enforcer under the group name in the consoleView Servers pane. If you do not specify a name during setup, the console assignsthe Enforcer to a default Enforcer group. The console uses the name of the Enforcercomputer as the group name.

About failover Enforcer groupsA new Enforcer identifies itself to the console as a standby failover Enforcer. Thisidentification happens if you add a failover DHCP Enforcer or a Gateway Enforcerthat connects by a hub or switch to the same subnet. The console then assignsthe new standby failover Enforcer to the same group as the active Enforcer. Theassignment occurs whether or not you specified a group name during setup onthe local console. This action ensures that the failover DHCP or Gateway Enforcerhas exactly the same settings as the primary Enforcer.

For LAN Enforcers, failover is handled through the switch rather than throughthe Enforcer so the automatic assignment to the same group does not occur. Youcan ensure that multiple LAN Enforcers share settings. Specify the same groupname in the Enforcer local console on the console Settings dialog box.

About changing a group nameYou cannot change an Enforcer group name from the console. However, you canspecify a new group name from the Enforcer local console. The Enforcer thenmoves into the new group. You may need to refresh the console screen to see thechange.

397Managing Enforcers on the Symantec Endpoint Protection Manager consoleAbout Enforcer groups

About creating a new Enforcer groupUsually, you only need to create a new Enforcer group if you add an Enforcer thatrequired different settings from the existing Enforcers.

You can create a new Enforcer group on the Enforcer local console by specifyingthe new name on the console Settings dialog box. The new group has the Enforcerdefault settings.

You can leave the group name field blank when you connect the new Enforcerfrom the local console. In that case, the console assigns the Enforcer to a newgroup. This group takes the name of the Enforcer computer and its default settings.

You can use the same method to move an Enforcer to another group. Specify thedesired group name from the Enforcer local console. The Enforcer takes on thesettings of the group to which it is moved.

About the Enforcer information that appears on theEnforcer console

You can display information about the Enforcer on the Enforcer console.

You can only change the settings for network interface cards on the Enforcerappliance but not on the management console. If you change the NIC configurationon the Enforcer appliance, the new settings are uploaded to the managementconsole during the next heartbeat.

You can view similar information about the Enforcer on the Enforcer console.

Table 26-1 describes the type of information that you can view.

Table 26-1 Information about the Enforcer appliance on the Enforcer console

DescriptionField

Same as Hostname field.Name

Brief description of the Enforcer. The description is the onlyinformation that you can be edit on the management console.

Description

Version of the Enforcer software that runs on the selected Enforcercomputer.

Version

Name of the computer on which the Enforcer is installed.Hostname

Operating system that is running on the computer on which theselected Enforcer is installed.

Operating System

Managing Enforcers on the Symantec Endpoint Protection Manager consoleAbout the Enforcer information that appears on the Enforcer console

398

Table 26-1 Information about the Enforcer appliance on the Enforcer console(continued)

DescriptionField

Online: The service is running and is the primary active Enforcer.

Offline: The service is stopped.

Online Status

(Gateway and DHCP Enforcer only) Whether the Enforcer is active oron standby.

Failover Status

IP address of the internal network interface card.Internal IP

(Gateway and DHCP Enforcer only) IP address of the external networkinterface card.

External IP

The MAC address of the internal network interface cardInternal MAC

(Gateway and DHCP Enforcer only) The MAC address of the externalnetwork interface card.

External MAC

Manufacturer and model of the internal network interface card.Internal NIC

(Gateway and DHCP Enforcer only) Manufacturer and model of theexternal network interface card.

External NIC

Displaying information about the Enforcer on themanagement console

You can display information about the Enforcer from a console.

See Table 26-1 on page 398.

To display information about the Enforcer on the management console

1 In the Symantec Endpoint Protection Manager Console, on the Admin page,click Servers.

2 Under View Servers, click the name of the Enforcer about which you want toview information.

Information about the LAN Enforcer appliance do not appear in the fieldsthat refer to the external NIC because the LAN Enforcer appliance onlyrequires an internal NIC. No failover status is shown because a switch managesLAN Enforcer failover.

399Managing Enforcers on the Symantec Endpoint Protection Manager consoleDisplaying information about the Enforcer on the management console

Changing an Enforcer’s name and descriptionThe Enforcer name is always the host name of the appliance or computer on whichit is installed. You can only change the Enforcer name by changing the host nameof the computer.

You can change the Enforcer description from the console. For example, you maywant to enter a description to identify the Enforcer location.

To change an Enforcer’s description

1 In the console, on the Admin page, click Servers.

2 Under View Servers, click the Enforcer name and then under Tasks, clickEditEnforcerProperties. The Properties dialog box appears. The name fieldis not editable.

3 Enter the desired text in the Description text box.

4 Click OK.

You can also edit the Enforcer description by right-clicking the name of theEnforcer and selecting Properties.

Deleting an Enforcer or an Enforcer groupYou can delete an Enforcer on the management console. When you delete anEnforcer, it frees up a license because the computer being used is no longer runningan Enforcer. You cannot delete an Enforcer from the console while the Enforceris online. You can turn off the Enforcer and then delete it. When you restart theEnforcer computer, the Enforcer reconnects to the console. The Enforcer registersitself again and reappears on the Servers page. To delete an Enforcer permanentlyfrom the console, first uninstall the Enforcer from the Enforcer computer.

To delete an Enforcer group after you uninstalled the Enforcer from the Enforcercomputer

1 Turn off or uninstall the Enforcer on the Enforcer computer.

2 In the console, on the Admin page, click Servers.

3 Under View Servers, click the Enforcer name, and then under Tasks, clickDelete Enforcer. A message box asks you to confirm the deletion.

4 To confirm the deletion, click Yes.

If there are no Enforcers listed in an Enforcer group and you no longer wantto use that group, you can delete the Enforcer group. The group must nolonger include any names of Enforcers before you can delete it. When youdelete an Enforcer group, you delete any customized settings for the group.

Managing Enforcers on the Symantec Endpoint Protection Manager consoleChanging an Enforcer’s name and description

400

To delete an Enforcer group

1 In the Symantec Endpoint Protection console, click Admin.


2 Under View Servers, click the Enforcer group name.

3 Click Delete Group.

A message box asks you to confirm the deletion.

4 To confirm the deletion, click Yes.

Exporting and importing Enforcer group settingsYou may want to export or import settings for an Enforcer group. Settings areexported to a file in .xml format. When you import settings, you must import theminto an existing Enforcer group, which overwrites the selected group settings.

To export Enforcer group settings

1 In the management console, on the Admin page, click Servers.

2 Under View Servers, click the Enforcer group name and then click ExportGroup Properties.

3 Select a location in which to save the file and specify a file name.

4 Click Save.

When you import settings, you must import them into an existing Enforcer group,which overwrites the selected group settings.

To import Enforcer group settings

1 In the management console, on the Admin page, click Servers.

2 Under View Servers, click the Enforcer group name whose settings you wantto overwrite and then click Import Group Properties.

3 Select the file that you want to import and then click Open.

You are prompted to confirm overwriting the current Enforcer groupproperties.

4 Click Yes.

Pop-up messages for blocked clientsWhen an Enforcer blocks a client that tries to connect to the network, the followingtwo types of pop-up messages can be configured:

401Managing Enforcers on the Symantec Endpoint Protection Manager consoleExporting and importing Enforcer group settings

■ Message for the computers that are running a client

■ Message for Windows computers that are not running a client (Gateway orDHCP Enforcer only)

Messages for the computers that are running the clientIf the Enforcer blocks computers even though they are running a client, there canbe several causes. A blockage can occur because a Host Integrity check failed orbecause the client policy is not up-to-date. When these events occur, you canspecify that a pop-up message displays on the client. That message notifies theuser that the Enforcer has blocked all traffic from the client and why it was blocked.For example, the following message is displayed if the client has failed the HostIntegrity check:

Symantec Enforcer has blocked all traffic from the client because

the client failed Host Integrity.

You can add text to the default message. For example, you may want to tell thecomputer user what to do to remedy the situation. You configure this message aspart of the client group policy settings rather than the Enforcer settings.

Messages for Windows computers that are not running the client(Gateway or DHCP Enforcer only)

In some cases, clients try to connect to the enterprise network without runningthe client. Gateway and DHCP Enforcers provide a pop-up message to informusers on Windows computers of the need to install the client software. The messagetells the clients that they are blocked from accessing the network because theSymantec client is not running. You can configure the contents of the messageon the Authentication tab of the Enforcer Settings dialog box. Use the Enablepop-up message option on the client if client is not running.

Note: For the Gateway Enforcer only, an alternative to the pop-up message is theHTTP Redirect option. The HTTP Redirect option connects the client to a Website with remediation instructions or capabilities.

For the Enforcer to cause the client to display a message, UDP ports 137 and 138must be open to transmit the message.

Windows Messaging, also called Messenger, must be running on WindowsNT-based systems (Windows NT 4.0, 2000, XP, and Windows Server 2003) for thecomputer to display pop-up messages. If the client is running, Windows Messagingis not required for displaying a pop-up message from the client.

Managing Enforcers on the Symantec Endpoint Protection Manager consolePop-up messages for blocked clients

402

Setting up the Enforcer messagesYou can configure the Enforcer messages that appear on the clients when anEnforcer blocks the clients.

Note: You can modify the settings only for the groups that do not inherit settingsfrom a parent group.

To set up the Enforcer messages

1 In the console, on the Clients page, select the Policies tab.

2 Under View Policies, select the group for which you want to specify a pop-upmessage.

3 Under Settings, select General Settings. The Group Settings dialog boxappears with the General Settings tab selected.

4 On the Security Settings tab, select Displayamessagewhenaclientisblockedby a Symantec Enforcer.

5 If you want to add text to the default message, click SetAdditionalText, thentype the text, and click OK.

6 Click OK.

About client settings and the EnforcerSymantec clients work with the Enforcer with no special configuration. Theexception is some 802.1x authentication settings required for the LAN Enforcer.Also, there is one situation you should be aware of when configuring clients. Ifan end user stops the client while it is running, a problem could occur.

Configuring clients to use a password to stop theclient service

The client can pass Enforcer authentication initially, while the client is running,and receive a normal network configuration and IP address. If the client later failsauthentication, the Enforcer sends a message to the client. This failure causesthe client to do a release and renew of the IP address. However, if the end userstops the client on the client computer, the Enforcer is unable to enforce therelease and renew. To ensure that the Enforcer can continue to quarantine orblock clients, you may want to restrict which users are allowed to stop a client.You can restrict users by requiring a password for the end user to stop the client.

403Managing Enforcers on the Symantec Endpoint Protection Manager consoleAbout client settings and the Enforcer

To configure clients to use a password to stop the client service

1 In the console, on the Client page, select the client group.


3 On the Security Settings tab, under Client Password Protection, select Requirea password to stop the client service and specify the password.

4 Click OK.

Managing Enforcers on the Symantec Endpoint Protection Manager consoleConfiguring clients to use a password to stop the client service

404

Working with enforcerreports and logs

■ Chapter 27. Managing Enforcer reports and logs

7Section

Managing Enforcer reportsand logs


■ About Enforcer reports

■ About Enforcer logs

■ Configuring Enforcer log settings

About Enforcer reportsThe Reports page on the Symantec Endpoint Protection Manager Console providesboth predefined reports and custom reports. You can view the predefined QuickReports that contain information about Enforcers on the Reports page.

The following Enforcer reports are available:

■ The System report that is called Top Enforcers That Generate Errors containsinformation about Enforcers that generated errors and warnings.

■ The System report that is called Site Status contains information aboutEnforcer system, traffic, and packet log throughput.

■ The Compliance reports contain information about the compliance status ofclients.

See the Administration Guide for Symantec Endpoint Protection Manager andSymantecNetworkAccessControl for detailed information about Enforcer reports.


27Chapter

About Enforcer logsEnforcers provide the following logs that you can use to monitor and troubleshootsystem activity:

■ Enforcer Server logSee “About the Enforcer Server log” on page 408.

■ Enforcer Client logSee “About the Enforcer Client log” on page 409.

■ Enforcer Traffic log (Gateway Enforcer only)See “About the Gateway Enforcer Traffic log” on page 410.

By default, Enforcer logs are stored on the same computer on which the Enforcersoftware is installed or on the Enforcer appliance itself. You can have the logsautomatically sent from the Enforcer appliance or the computer on which youinstalled an Integrated Enforcer to the Symantec Endpoint Protection ManagerConsole. However, you must enable the sending of the logs on the SymantecEndpoint Protection Manager Console.

The log data is sent from the Enforcer to the Symantec Endpoint ProtectionManager and stored in the database. You can modify the Enforcer log settings,view Enforcer logs, and generate reports about the Enforcers on the SymantecEndpoint Protection Manager Console. Activities are recorded in the same EnforcerServer log for all Enforcers on a site.

Note: A system log called Enforcer Activity is also available on the SymantecEndpoint Protection Manager Console. It contains information about events suchas when Enforcers start and when they connect to the Symantec EndpointProtection Manager.

About the Enforcer Server logThe Enforcer Server log provides the information that is related to the functioningof an Enforcer.

Table 27-1 describes the information that is available in the Enforcer Server log.

Managing Enforcer reports and logsAbout Enforcer logs

408

Table 27-1 Enforcer Server log information

DescriptionLog column name

The date and time of the logged event.

You should keep the time of the Enforcer Server logsynchronized with the Linux system time on the Enforcerappliance. You may need to manually change the time on theEnforcer appliance to match changes to daylight saving time(DST).

Time

The type of event. For example, Enforcer registered or Serverreceived Enforcer log are types of events.

Event Type

The name of the Enforcer that this event involves.Enforcer Name

The name of the site that this event involves.Site

The name of the server that this event involves.Server

About the Enforcer Client logAn Enforcer Client log provides information about the interactions between anEnforcer and a client that has tried to connect to the network. It shows informationabout authentication, failed authentication, and disconnection.

In a peer-to-peer authentication scenario, the Enforcer Client log also showsinformation about authentication, failed authentication, and disconnection. Theinformation is for interactions between the clients that act as Enforcers andremote clients. The remote clients try to connect to the network through theclients that act as Enforcers.

Table 27-2 describes the information that is available in the Enforcer Client log.

Table 27-2 Enforcer Client log information


The date and time that the interaction with the clientoccurred.

Time

The host name of the Enforcer appliance or computer thatthis event involves.

Enforcer Name

The type of Enforcer that this event involves, either aGateway Enforcer appliance, a DHCP Enforcer appliance,or a LAN Enforcer appliance.

Enforcer Type

409Managing Enforcer reports and logsAbout Enforcer logs

Table 27-2 Enforcer Client log information (continued)


The name of the site that this event involvesSite

The host name of the client that this event involves, if anyRemote Host

The action that the Enforcer took. This column can containthe following actions:

■ Authenticated

The client’s unique identifier (UID) was correct.

■ Rejected

The client’s UID was incorrect or no client was running.

■ Disconnected

The client has disconnected from the Enforcer or theEnforcer service has stopped.

■ Passed

The client passed the Host Integrity check.

■ Failed

The client failed the Host Integrity check.

Action

The MAC address of the clientRemote MAC

About the Gateway Enforcer Traffic logThe Traffic log records all traffic that enters through a Gateway Enforcerappliance’s external adapter and leaves through the internal adapter.

Note:Traffic logs are available on Gateway Enforcer appliances only. The contentsdepend on the Traffic log filter that is set in the Gateway Enforcer Settings dialogbox.

Table 27-3 describes the information available in the Gateway Enforcer Trafficlog.

Table 27-3 Gateway Enforcer appliance Traffic log information


The date and time of the traffic event.Time

The name of the Gateway Enforcer appliance that this eventinvolves.

Enforcer Name

Managing Enforcer reports and logsAbout Enforcer logs

410

Table 27-3 Gateway Enforcer appliance Traffic log information (continued)


The name of the type of Enforcer that this event involves, eithera Gateway Enforcer appliance, a DHCP Enforcer, or a LANEnforcer.

Enforcer Type

The name of the site that this event involves.Site

The TCP port or UDP port of the packet destination.

The IP address of the packet source.

The IP address of the packet destination.

Local Port

Local Host IP

Remote Host IP

The direction of the traffic: either inbound, which enters theGateway Enforcer appliance, or outbound, which leaves theGateway Enforcer appliance.

Direction

The action taken. For example, the action can be authenticatedor blocked.

Action

The number of times the same packet was received.Count

Configuring Enforcer log settingsYou can configure settings for Enforcer logs in the Enforcer name Settings dialogbox on the Logging tab. The changes are sent to the selected Enforcer during thenext heartbeat.

Disabling Enforcer logging on the Symantec Endpoint ProtectionManager Console

By default, Enforcer logging is enabled. You can disable it on the SymantecEndpoint Protection Manager Console. If you disable logging, you can enable itfrom this same location.

Todisable Enforcer logging on theSymantec Endpoint ProtectionManager Console



3 In the Admin page, under View Servers, select the Enforcer group for whichyou want to disable Enforcer logging.


411Managing Enforcer reports and logsConfiguring Enforcer log settings

5 In theEnforcernameSettings dialog box, on the Logging tab, uncheck Enablelogging for each log that you want to disable.

6 Click OK.

Enabling the sending of Enforcer logs from an Enforcer to the SymantecEndpoint Protection Manager

All logs are automatically sent by default from the Enforcer appliance or thecomputer on which you installed any of the software-based Integrated Enforcerto the Symantec Endpoint Protection Manager. As soon as you enable the sendingof logs, you can view all Symantec logs in a central location on the SymantecEndpoint Protection Manager Console.

To enable the sending of Enforcer logs from an Enforcer to the Symantec EndpointProtection Manager



3 In the Admin page, under View Servers, select the Enforcer group for whichyou want to enable the sending of Enforcer logs from an Enforcer to aSymantec Endpoint Protection Manager.


5 In the Enforcer name Settings dialog box, on the Logging tab, check Sendthelog to the management server.

You can enable the sending of each type of log from an Enforcer applianceor a computer on which you installed any of the software-based IntegratedEnforcers to the Symantec Endpoint Protection Manager.

6 Click OK.

Setting up the size and age of Enforcer logsYou can specify the maximum size of Enforcer log files and how many days logentries are stored.

To set up the size and age of Enforcer logs



3 In the Admin page, under View Servers, select the Enforcer group for whichyou want to set the size and age of Enforcer logs.


Managing Enforcer reports and logsConfiguring Enforcer log settings

412

5 In the Enforcer name Settings dialog box, on the Logging tab, in each of theMaximum log file size fields, specify the number of KB of data to maintain ineach log.

The default setting is 512 KB.

6 In the Log entry will expire after field, specify the number of days that theentry remains in the database before it is removed.

The range is 1 day to 365 days, with a default range of 30 days.

7 Click OK.

Filtering the Traffic logs for an EnforcerIf you have many clients that connect through an Enforcer, it may generate alarge Traffic log. You can filter the type of data that an Enforcer logs in a Trafficlog and thus reduce the average log size. The filter list enables you to filter thetraffic that an Enforcer logs before the data is retained.

To filter the Traffic logs for an Enforcer



3 In the Admin page, under View Servers, select the Enforcer group for whichyou want to filter Traffic logs.


5 In the Enforcer name Settings dialog box, on the Logging tab, in the Trafficlog filter list, select one of the following filter options:

Logs all traffic, including that which is allowed anddropped

All traffic

Logs only the clients that the Enforcer blocksOnly blocked traffic

Logs only the traffic that the Enforcer allowsOnly allowed traffic

6 Click OK.

413Managing Enforcer reports and logsConfiguring Enforcer log settings

Managing Enforcer reports and logsConfiguring Enforcer log settings

414

Symbols802.1x

authentication 36, 189authentication Server 37authenticator 37configuring authentication 191EAP-over-LAN (EAPOL) 37Extensible Authentication Protocol (EAP) 37supplicant 37, 300switch configuration 182wireless access points 149

AAccess control lists (ACLs) 150antivirus software 297ARP request packet 117authentication 109

802.1x basic configuration 36allowing non-authenticated clients 132allowing non-Windows clients 133and Integrated Enforcer 344and non-authenticated clients 102, 359and non-Windows clients 103, 360and reauthentication 101and trusted hosts 363commands 216, 239, 246, 248, 299DHCP Enforcer appliance 127, 144failure 101, 141Gateway Enforcer appliance 32, 94, 119Integrated Enforcer 354, 356, 365Integrated Enforcer for Microsoft DHCP

Servers 305LAN Enforcer appliance 73, 189local 363process 31reauthentication 179, 192switch policy 186Symantec Integrated NAP Enforcer 390trusted range 107types of 30

authentication processDHCP Enforcer appliance 129Gateway Enforcer 97

automatic quarantine 347client 141

Ccapture command 208, 239

filter 239show 240start 241upload 242verbose 242

challenge packetspecifying maximum number 130specifying the frequency of 131

challenge packets 97, 356frequency 100frequency of 358specifying 99, 358

Cisco Network Admissions Control 38clear command 208, 233client

authenticated 98, 129authentication 305, 344compliance 135, 305, 344messages when blocked 401non-authenticated 359quarantined 32, 136, 305, 344Symantec Network Access Control 305, 344wireless 149

Client logEnforcer 409

compliancelog 408report 407

configure command 208, 243advanced 243advanced CATOS 243advanced Check-UID 243advanced DNS spoofing 244

Index

configure command (continued)advanced failover 244advanced legacy 245advanced legacy UID 246advanced local authentication 246advanced RADIUS 246advanced re-initialize 247advanced show 248advanced SNACS 247advanced user-class 248DNS add IP address 249DNS delete IP address 249interface 250interface-role 251ntp 251redirect 252route 252show 253spm 253

configuringEnforcer log 411

connectorsEnforcer appliance 73

consoledisplaying Enforcer information 399Enforcer 398Enforcer management 396Servers page 396

console command 208, 254baud-rate 254show 255ssh 255sshkey 255

controlsEnforcer appliance 73

Ddate command 233debug

commands 255, 294log 294

debug command 208destination 256level 256show 257upload 257

DHCP Enforcerappliance commands 216

DHCP Enforcer applianceabout 27, 72, 122advanced user-class command 248authentication 127configuring 122failover 57, 72how it works 33installation 75installation planning 52IP address 54network interface card configuration 251NIC 75remediation server 72

DHCP request packet 117DHCP server

and Integrated Enforcer 315and non-authenticated clients 359as quarantine server 356DHCP Enforcer appliance 136Integrated Enforcer for Microsoft DHCP

Servers 305, 344maximum number in network 136quarantine 248quarantined clients 136restarting 344

DNS request packet 117DNS spoofing

command 244enabling 143

domain name server 249

Eencrypted password 344encryption

password 177Symantec Integrated NAP Enforcer 384

Enforcerabout a group 397changing a group 398changing a group name 397Client log 409console 398

managing 396creating a group 398deleting 400DHCP failover 397editing description 400editing name 400failover 397

Index416

Enforcer (continued)Gateway failover 397group

exporting settings 401importing settings 401

LAN failover 397log 408report 407Server log 408settings 396third-party vendor 38Traffic log 410

Enforcer appliancealphabetical command reference 216back panel 74checking communication status 85command line interface 207

help system 213keystroke shortcuts 211top-level commands 233

configuring 78connectors 73console commands 254controls 73debug commands 255DHCP 26Enforcer appliance, command line interface

command conventions 215frequently asked questions 297front panel 73Gateway 26hardware specifications 74indicators 73installing 71LAN 26lock 80logging on 82mab commands 258mab database commands 258monitor reports 86purpose 28reimaging 70showing status 86troubleshooting 293type of enforcement 26use 28

Enforcer logconfiguring 411disabling 411

Enforcer log (continued)retention 412sending to management console 412size 412

Enforcer Server logname of Enforcer involved in event 409name of server responsible for event 409site where event took place 409time of logged event 409type of event 409

Enforcer Traffic logfiltering 413

Enforcersauthenticates client with UID 31client settings 403Gateway 88restricting client stoppage 403

exit command 208, 233exporting

Enforcer group settings 401

Ffailover

command 244DHCP Enforcer appliance 57Gateway Enforcer appliance 45, 49LAN Enforcer appliance 64

GGateway Enforcer

and Symantec Endpoint Protection Managerconfiguration 88

appliance commands 216multiple installations 113network locations 42

Gateway Enforcer applianceabout 27, 72ARP request packet 117authentication 32DHCP request packet 117DNS request packet 117Failover 49failover 45how it works 32installation 72, 75installation planning 42installing 71IP address 45

417Index

Gateway Enforcer appliance (continued)network interface card configuration 251network locations 72NIC 75non-Windows client 47non-Windows server 47other protocols 117remote access server (RAS 45server protection 46servers 43Traffic log 410VPN 43, 46wireless access point (WAP) 43wireless access points (WAP) 46

groupDHCP Enforcer appliance 124Gateway Enforcer appliance 91Integrated Enforcer 349LAN Enforcer appliance 152RADIUS server 156, 178

Hhardware requirements for Integrated Lucent

Enforcer 333hardware specifications

Enforcer appliance 74heartbeat

between Symantec Endpoint Protection Managerand Enforcer 31

help command 208, 234host integrity

check 30Enforcer appliance 30frequently asked questions 299message 299RADIUS server 148status 31supported software 297

Host Integrity checkand Integrated Enforcer 356

host integrity policyglobal level 299group level 299

hostname command 208, 235

Iimporting

Enforcer group settings 401

indicatorsEnforcer appliance 73

installationDHCP Enforcer appliance 71–72, 75Gateway Enforcer appliance 71–72, 75LAN Enforcer appliance 71, 73, 75prerequisites 71Symantec Integrated Enforcer

command line 315install wizard 315

Symantec Integrated NAP Enforcer 377installation planning

DHCP Enforcer appliance 52Gateway Enforcer appliance 42LAN Enforcer appliance 61

Integrated DHCP EnforcerMicrosoft DHCP Servers 305

Integrated Enforcerand Network Access Control Scanners 362and policy serial number checking 361and Symantec Endpoint Security Manager

communication 344and Symantec Network Access Control

clients 315communication settings 344, 362connection to management server 351installing 315Microsoft DHCP Servers 26Microsoft NAP 26quarantine 347trusted vendors 353

Integrated Enforcer for Alcatel-Lucent VitalQIP DHCPServers

component 330hardware requirements 333planning 329type of enforcement 28

Integrated Enforcer for Microsoft DHCP Servershardware requirements 312Microsoft DHCP server 344operating system requirement 313planning 313required component 312Symantec Network Access Control client 305,

344type of enforcement 28

Integrated Enforcer for Microsoft NAPtype of enforcement 28

Index418

Integrated Enforcer for Microsoft Network AccessProtection

operating system requirements 374planning 373required component 374

Integrated Lucent Enforcerdisconnecting from management server list 367operating system requirements 333

interface-role command 251IP address

DHCP Enforcer appliance 54Gateway Enforcer 98Gateway Enforcer appliance 45Integrated Enforcer 350quarantine 56trusted 108–109

Kknown issues 203, 294

LLAN Enforcer

appliance commands 216LAN Enforcer appliance

802.1x 189802.1x basic configuration 36802.1x supplicant 73802.1x wireless access points 149about 27configuration from Symantec Endpoint

Protection Manager Console 147configuration settings 150dynamic VLAN switching 73, 149failover 64how it works 35installation 73, 75installation planning 61installing 71supported switch model 164switch settings 163transparent mode 36, 300

legacy clientconnecting to DHCP Enforcer appliance 144connecting to Gateway Enforcer appliance 118connecting to LAN Enforcer appliance 188

Linux operating system 70listening port

LAN Enforcer 153

local authentication 363command 246enabling on DHCP Enforcer appliance 144enabling on Gateway Enforcer appliance 119enabling on Integrated Enforcer 365enabling on LAN Enforcer appliance 189enabling on Symantec Integrated NAP

Enforcer 390log. See Enforcer Server log

compliance 408Enforcer 408filtering Enforcer Traffic log data 413location of 408sending from Enforcer to Symantec Endpoint

Protection Manager 408log -on

superuser 82log files

debug 294log size

Enforcer 412log-on

normal 82

Mmab command

database add 258database clean 259database download 260database upload 260disable 260enable 261ldap disable 261ldap enable 262ldap host 262ldap password 262ldap port 263show 264

mab ldap commands 261MAC address

trusted host 363management console. See console

Enforcer log 412management server. See Symantec Endpoint

Protection Managerlegacy 344

management server list 93message

Enforcer 401

419Index

messagesEnforcer

displaying 403modifying 403

monitor command 208, 264refresh 265show 265show blocked-hosts 265show connected-guests 266show connected-users 268

NNetwork Access Control Scanner

and Integrated Enforcer 362Integrated Enforcer for Microsoft DHCP

Servers 305Network Access Control Scanners

and Integrated Enforcer 344network interface card

configure command 251DHCP Enforcer appliance 75Gateway Enforcer appliance 75

network interface cardsshutdown command 250

NIC. See network interface cardnon-compliance message 105

sending from DHCP Enforcer appliance 135non-Windows client

Gateway Enforcer appliance 47non-Windows server

Gateway Enforcer appliance 47normal

log on 82ntp command

diable 251enable 251server string 251

Oon-demand authentication ad command 272

ad domain 273disable 272enable 273

on-demand authentication command 271disable 274enable 274

on-demand authentication local-db command 275add 275

on-demand authentication local-db command(continued)

disable 275enable 276

on-demand banner command 277on-demand client-group command 277on-demand command 271on-demand dot1x certificate command 278

import 279remove 280

on-demand dot1x command 278on-demand dot1x show certificate command

show 281operating system requirement 333

Ppassword

default 78encryption 177replacement 78

password command 208, 235password protection

client 403Enforcers 403

ping command 208, 235planning

Integrated Enforcer for Alcatel-Lucent VitalQIPDHCP Servers 329See also Integrated Lucent Enforcer

Integrated Enforcer for Microsoft DHCPServers 313

Integrated Enforcer for Microsoft NetworkAccess Protection 373

policy enforcement 300policy serial number 134policy serial number check

and Gateway Enforcer 104policy serial number checking 361profile serial number 129

Qquarantine 136

and Integrated Enforcer 344, 347, 356DHCP Enforcer appliance 52DHCP server 56, 72Integrated Enforcer for Microsoft DHCP

Servers 305user-class ID 248

Index420

RRADIUS server 300

and LAN Enforcer 156friendly name 159host integrity policy 148LAN Enforcer appliance 148shared secret 161

reauthentication 192reboot command 208, 236redirect command 252redirection

of HTTP requests 106Redundant Managers 299reimaging

Enforcer appliance 70remediation 32Remote access 86remote access server (RAS

Gateway Enforcer appliance 45report

compliance 407Enforcer 407Site Status 407System 407Top Enforcers That Generate Errors 407

requirementhardware for Integrated Enforcer for

Alcatel-Lucent VitalQIP DHCP Servers 333operating system for Integrated Lucent

Enforcer 333retention of log

Enforcer 412route command 252

Ssecurity policy

Cisco NAC 300compliance 305, 344DHCP 300LAN 300non-Symantec 300self enforcement 300serial number updates 361Universal Enforcement API 300

server protectionGateway Enforcer appliance 46

shared secret 161editing 177

show command 208, 236, 253advanced 248capture 236configure 236console 236, 255debug 257status 236update 236version 236

shutdown command 208, 236spm command 253start command 208, 238stop command 208, 238subnet addressing 78

Integrated Enforcer 344secure 305

superuserlog on 82

switch model 164switch policy 175

conditions and actions 184Symantec Endpoint Protection Manager

and DHCP Enforcer appliance 122and Gateway Enforcer 93and Integrated Enforcer 315, 344communication with Enforcer 31, 299configure SPM command 253host integrity 30Integrated Enforcer for Microsoft DHCP

Servers 305LAN Enforcer appliance configuration 147trusted IP address 113

Symantec Enforcement client 396Symantec Integrated NAP Enforcer

configuring on NAP Enforcer console 382connecting to management server 382encrypted password 384group name 385hardware requirements 374HTTP communication protocol 386HTTP protocol 384HTTPS protocol 384installing 377operating system requirement 375removing from management server list 384

Systemreport 407

421Index

Ttraceroute command 208, 238Traffic log

Gateway Enforcer appliance 410transparent mode 149

authentication 36troubleshooting 203, 293trusted host

client without authentication 142configuration 363device without authentication 142server without authentication 142

trusted network 305, 344trusted vendors 353

Uunique identification checking 356unique identifier (UID) 31

Enforcer authenticaton for client 31Universal Enforcement API 38update command 208, 238

VVLAN

wireless access points 149VLAN switch

and LAN Enforcer 153LAN Enforcer appliance 163

VPNGateway Enforcer appliance 46

vpn 203

Wwireless access points (WAP)

Gateway Enforcer appliance 46wireless access term (WAP)

Gateway Enforcer appliance 43wireless protocols 149, 179

Index422

Enforcer Implementation Guide SNAC11.0.5

Documents

Transcript of Enforcer Implementation Guide SNAC11.0.5